OWASP #2 – Broken Authentication

6 May 2021 | By Jason Lu

In 2011, Netease, which used to be the largest Chinese free email service provider, suffered from a broken authentication attack and 500 million entries of their username/password-hashes combinations became openly available to the public. Upon the leak, many users reported that even after changing their password on Netease, their accounts on other websites still got hacked. This problem of broken authentication is still a significant problem today and ranks as the second most prevalent form of attack by hackers on the OWASP Top Ten list.

Broken Authentication refers to the situation created by the prevalence of publicly available default username/password lists or by hijacking sessions IDs. These are often used to crack systems with direct attacks. In addition, any leakage of username/password data on the internet could bring risks to the accounts created by the same user on other sites. Despite password attacks, there are many other forms of attack that are related to session management utilities, which are also more difficult to identify and could introduce a higher level of threat.

You can help prevent broken authentication attacks by carefully deciding your default login credentials mode and make sure that after the initial setup, the default password is not used for further authentication.

Example of Attack

The example below directly uses MD5 to perform the checking of a password instead of salting it properly. This could mean that if any user of the system happens to use a password that is used by someone else, there would be a high chance that those who have administrative control of the system could inspect that result and could then extract the user’s password.

Broken authentication attacks are common and can be devastating to an organization. They are also highly preventable.


To learn more about OWASP and how Xcalscan can help you prevent them, click here.

You might be interested in

OWASP #5 Broken Access Control

19 Oct 2021 | By Jason Lu

In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...

read the story

Empowering Customers the Xcalibyte Way – An Interview with Gavin Bu

14 Oct 2021 | By Gavin Bu

From smart-locks at homes to self-driving vehicles on the road, new technologies such as artificial intelligence, blockchain, and 5G continue to promote the...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy