OWASP #2 – Broken Authentication

6 May 2021 | By Jason Lu

In 2011, Netease, which used to be the largest Chinese free email service provider, suffered from a broken authentication attack and 500 million entries of their username/password-hashes combinations became openly available to the public. Upon the leak, many users reported that even after changing their password on Netease, their accounts on other websites still got hacked. This problem of broken authentication is still a significant problem today and ranks as the second most prevalent form of attack by hackers on the OWASP Top Ten list.

Broken Authentication refers to the situation created by the prevalence of publicly available default username/password lists or by hijacking sessions IDs. These are often used to crack systems with direct attacks. In addition, any leakage of username/password data on the internet could bring risks to the accounts created by the same user on other sites. Despite password attacks, there are many other forms of attack that are related to session management utilities, which are also more difficult to identify and could introduce a higher level of threat.

You can help prevent broken authentication attacks by carefully deciding your default login credentials mode and make sure that after the initial setup, the default password is not used for further authentication.

Example of Attack

The example below directly uses MD5 to perform the checking of a password instead of salting it properly. This could mean that if any user of the system happens to use a password that is used by someone else, there would be a high chance that those who have administrative control of the system could inspect that result and could then extract the user’s password.

Broken authentication attacks are common and can be devastating to an organization. They are also highly preventable.


To learn more about OWASP and how Xcalscan can help you prevent them, click here.

You might be interested in

OWASP #3 Sensitive Data Exposure

9 Jun 2021 | By Xcalibyte

The next blog article in our OWASP Top Ten series is number 3, Sensitive Data. When your data is at rest, in transit or in...

read the story

Embedded Programming and IoT – Memory Management Criticality

18 May 2021 | By Tan Rahman & Jane Yang

In this blog article, we explore some of the pitfalls faced by developers when using lower-level compiled languages with the Internet of Things...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy