OWASP Top 10: Identification and Authentication Failures

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn

Identification and authentication are essential to data security and cybersecurity. Without the ability to validate a user’s identity, it’s difficult to differentiate between legitimate and malicious activities on a system.

Identification and authentication failures include errors in protecting against authentication-related attacks. For example, an application could not properly validate a user’s identity or allow credential stuffing and similar attacks against authentication systems.

What is the Risk?

User identification and authentication are essential to ensuring strong cybersecurity. Protecting confidentiality, integrity, and availability requires the ability to differentiate between normal user activity and potential unauthorized access and attacks against a system.

If an application doesn’t implement strong user authentication, an attacker may be able to masquerade as a legitimate user of the system and take advantage of the access and privileges assigned to that user. This could result in data breaches, Denial of Service (DoS), and similar threats to the system.

Examples of Attack Scenarios

Identification and authentication errors can be exploited in various ways, including the following:

Credential Stuffing

Ideally, a system user will use a strong, unique password for each of their accounts. In reality, it’s common for users to select weak, easily remembered passwords or to reuse the same password across multiple systems.

Cybercriminals take advantage of this practice in credential stuffing attacks where automated bots try to authenticate to a system using a list of breached credentials from other sites. If the application doesn’t implement rate limiting, bot prevention, or other defenses against automated attacks, the attacker is likely to succeed eventually. This gives the attacker access to one or more user accounts, resulting in data breaches or abuse of restricted functionality.

Password Resets

Applications and websites commonly provide a mechanism for a user who has forgotten their password to regain access to their accounts. However, if these systems are based on recovery questions, they are vulnerable to attack.


For example, recovery questions commonly ask about past addresses, family, vehicles, or pets. If this information isn’t public record, it is likely published somewhere on social media. An attacker may be able to learn the correct answers, reset the user’s password to something that they know, and abuse their access to the user’s account.

Session Hijacking

Applications commonly use session identifiers to track the state of a user’s session after they successfully authenticate. This eliminates the need for the user to enter their credentials on each page while protecting access to sensitive functionality.

However, this session identifier needs to be kept secret and treated as being as sensitive as the user’s real credentials. For example, if a session identifier is included in a URL, an attacker may be able to see the URL that a user visits by sniffing network traffic or monitoring firewall logs. If this is the case, the attacker can take over the user’s session, gaining access to their account without proper authentication.

A diagram illustrating a credential stuffing attack. On the left, an "Attacker" is shown stealing login credentials (depicted as keys). These stolen logins are fed to automated programs ("Bots"), which attempt to access multiple "Victims' Websites" on the right. One of the login attempts is successful (indicated by a checkmark), while others are not. The process highlights the use of bots to test stolen login credentials across various websites.

Case Study: Microsoft Exchange

In 2021, it was discovered that the Play ransomware gang was exploiting a vulnerability in Microsoft Exchange Server to achieve remote code execution (RCE). With Remote PowerShell, the attackers were able to exploit the vulnerability tracked as CVE-2022-41082, granting them unauthorized access to Outlook Web App (OWA).

The widespread use of Microsoft OWA meant that many organizations were impacted by the incident. With the ability to execute malicious code within the vulnerable systems, the attackers were able to deploy ransomware, steal sensitive data, and perform Denial of Service (DoS) attacks against the organization’s email systems.

How to Remediate Identification and Authentication Failures

Identification and authentication security is vital to application security. Some best practices to help avoid common errors include:

  • Implement Multi-Factor Authentication (MFA): MFA helps to manage the security risks of weak passwords by requiring a user to provide multiple factors to authenticate. This makes it more difficult to perform credential stuffing, brute force password guessing, and similar automated attacks.
  • Disable Default Credentials: Default credentials, such as admin/admin, are well known to attackers and a common target for password-guessing attacks. These default settings should always be disabled in production software to prevent account takeover attacks.
  • Enforce Password Security: Many account takeover attacks take advantage of the fact that users have weak or reused passwords. Enforcing password lengths and checking passwords against lists of breached credentials can help protect a user’s account.
  • Protect Authentication Information: Passwords, session identifiers, API keys, and other sensitive authentication data should be protected against potential disclosure. For example, passwords should be salted and hashed, and session identifiers should be randomly generated and securely stored (not in the URL).
  • Defend Against Automated Attacks: Automated attacks like credential stuffing and password guessing exploit poor password security. Implementing rate limiting on authentication can help make these attacks slower and more difficult to perform.

How IONIX Can Help

The OWASP Top Ten list details the most common vulnerabilities in modern and emerging web applications. And while identification and authentication failures may not be the most common, they are one of the most impactful. A failure to implement strong, secure authentication makes it difficult to differentiate legitimate use from potential attacks and may grant attackers unauthorized access to sensitive data or functionality.

The IONIX platform helps organizations manage the risks of these and other OWASP vulnerabilities via proactive risk assessments. During these assessments, IONIX simulates attacks against common vulnerabilities and errors, bringing them to light and enabling remediation. To learn more about bringing your organization’s digital attack surface under control with IONIX, sign up for a free demo.