OWASP A2
Application functions related to authentication and session management are often implemented incorrectly.
Allow attackers to compromise password, keys, or session tokens, or to exploit other implementation flaws.
Attackers may assume other users' identities temporarily or permanently.
Prevalence is widespread.
due to the operation of most identity and access controls.
Session management is the bedrock of authentication and access controls.
present in all stateful applications.
Attackers can detect broken authentication using manual means.
Attackers can exploit them using automated tools.
There are extensive password lists and dictionary attack tools.
Changes in the OWASP ranking
Services evolving from monolithic server applications to microservices.
Proliferation of HTTP and REST to implement APIs.
Applications are evolving to Progressive Web Applications.
Single HTML page for entire application.
Lots of Javascript based logic.
Resources provided through REST APIs.
Services exposed to the Internet, used directly by clients.
Impact:
Logic is moving towards clients.
State anchors are kept in the clients.
Last updated