Authentication & Identity

AuthenticationAuthNIdentity ManagementLogin Security

Authentication & Identity vulnerabilities at a glance

What it is: Weaknesses in how users prove their identity, including weak passwords, missing multi-factor authentication, insecure session handling, and authentication bypass vulnerabilities.
Why it happens: Weak controls around authentication can allow attackers to easily take over user accounts.
How to fix: The specific approach to fix will depend on the exact vulnerability, but generally ensuring that strong credentials are being used, alongside multi-factor authentication, and limiting bypass options are key.

Overview

Failures in authentication mechanisms are among the most critical security issues, as they can lead to complete account compromise and unauthorized access to sensitive systems.

Modern authentication must address multiple attack vectors: weak credentials that can be guessed or stolen, session tokens that can be hijacked or fixed, OAuth flows that can be manipulated, and JWT tokens that can be forged or replayed. A robust authentication system implements defense in depth with strong password policies, multi-factor authentication, secure session management, and proper validation of all authentication tokens and flows.

sequenceDiagram participant Attacker participant App as App Server participant DB Attacker->>App: POST /login (weak password) App->>DB: SELECT * FROM users WHERE username=? DB-->>App: User record App->>App: Weak password check passes App-->>Attacker: 200 OK + session token Note over App: Missing: Strong password policy<br/>Missing: MFA requirement<br/>Missing: Rate limiting
A potential flow for a Authentication & Identity exploit

Where it occurs

Authentication vulnerabilities arise in account-based systems with weak password policies, insecure session handling, or improper validation of authentication and authorization flows.

Impact

Authentication failures lead to complete account takeover, unauthorized access to user data and system resources, and significant data breach risks.

Prevention

Different vulnerabilities will require different prevention approaches but generally making sure accounts have strong credentials and that session tokens are properly rotated.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Credential Stuffing & Brute Force

Attackers use leaked credentials or automated guessing to take over accounts by trying many login attempts across accounts or many passwords against a single account.

Password Spraying Online Brute Force
6 code examples
Learn more →

Missing Multi-Factor Authentication

MFA is not enforced when it should be, or enforcement is easy to bypass with alternate flows or tokens.

MFA Not Enforced Second Factor Missing
6 code examples
Learn more →

OAuth & SSO Misconfiguration

Security flaws in OAuth, OpenID Connect, or SAML implementations that allow attackers to bypass authentication or hijack user sessions.

OAuth SSO SAML +2 more
2 code examples
Learn more →

Password Reset Flaws

Weaknesses in the password reset or account recovery flows that let attackers hijack accounts or leak reset tokens.

Reset Token Issues Account Recovery Flaws
6 code examples
Learn more →

Session Fixation

An attacker forces or supplies a session identifier that a victim later authenticates with, then the attacker reuses the same identifier to impersonate the victim.

Fixation Attacks Session ID Fixing
6 code examples
Learn more →

Token & JWT Misconfiguration

Security flaws in JSON Web Token (JWT) implementation including weak signatures, missing validation, algorithm confusion, and token exposure that allow attackers to forge or hijack authentication tokens.

JWT JSON Web Token Bearer Token +1 more
2 code examples
Learn more →

Weak Password Controls

The application lets users set weak or breached passwords, or stores them with inadequate hashing parameters.

Weak Password Policy Poor Password Hygiene
6 code examples
Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies authentication & identity and related vulnerabilities in your codebase.

Scan Your Code for Free