Broken Authentication: Definition, How It Works & Prevention | PowerWAF

How Broken Authentication Works

Broken authentication exploits fundamental flaws in how applications verify user identity and manage authenticated sessions. Unlike targeted attacks like brute force or credential stuffing, broken authentication describes systemic weaknesses in authentication architecture — the design decisions and implementation errors that make those targeted attacks possible. A single broken authentication flaw can undermine an entire application's security model, because authentication is the gateway to all authorized functionality.

Reconnaissance and endpoint discovery

The attacker maps the authentication surface: login pages, registration forms, password reset flows, API authentication endpoints, OAuth callbacks, SSO integrations, and session management mechanisms. They identify which authentication methods are supported (passwords, MFA, biometrics, API keys) and look for legacy or deprecated endpoints that may have weaker protections.

Identify authentication weaknesses

The attacker probes for common flaws: Does the application permit weak passwords (e.g., 'password123')? Are there account lockout mechanisms after failed attempts? Does the password reset flow leak information or use predictable tokens? Are session tokens generated with sufficient entropy? Are credentials transmitted over unencrypted channels? Does the login page reveal whether a username exists via different error messages?

Exploit credential management flaws

If the application uses weak password hashing (MD5, SHA1 without salt), stores credentials in plaintext, or transmits them without TLS, the attacker can intercept or crack passwords. Default credentials on admin interfaces (admin/admin, root/toor) are tested. Password reset tokens are analyzed for predictability — sequential tokens, timestamp-based tokens, or tokens with insufficient randomness can be forged.

Exploit session management weaknesses

Session tokens are analyzed for predictability and proper lifecycle management. Weaknesses include: session IDs in URLs (visible in referrer headers and logs), tokens that don't rotate after login (session fixation), sessions that don't expire or have excessively long timeouts, tokens transmitted without Secure/HttpOnly flags, and sessions not invalidated on logout or password change.

Achieve unauthorized access

The attacker leverages discovered weaknesses to gain access: forging session tokens, replaying intercepted credentials, exploiting password reset flows, or hijacking sessions through XSS combined with missing HttpOnly flags. Once authenticated as another user, they access sensitive data, perform privileged operations, or establish persistent access through backdoor accounts.

Real-World Examples

2022

Uber internal systems breach

An 18-year-old attacker gained access to Uber's internal systems by purchasing stolen credentials from the dark web and then socially engineering an employee to approve an MFA push notification. The attacker accessed Uber's Slack, Google Workspace, AWS console, HackerOne bug bounty dashboard, and internal financial tools. The incident demonstrated how broken authentication extends beyond passwords — MFA fatigue attacks exploit the human element in authentication flows.

2019

Citrix ADC credential exposure

A path traversal vulnerability in Citrix Application Delivery Controller (CVE-2019-19781) allowed unauthenticated attackers to access credential files and session tokens. The vulnerability affected over 80,000 organizations in 158 countries. Attackers used exposed credentials to access internal networks, demonstrating how credential storage flaws cascade into full infrastructure compromise.

2021

Microsoft Exchange SSRF to authentication bypass

The ProxyLogon vulnerability chain (CVE-2021-26855) in Microsoft Exchange Server allowed attackers to bypass authentication entirely using server-side request forgery. Attackers impersonated the Exchange server to authenticate as any user without credentials, accessed email, installed web shells, and exfiltrated data. Over 250,000 servers were compromised worldwide, affecting government agencies, defense contractors, and critical infrastructure.

Impact & Risk Assessment

Broken authentication is consistently ranked among the most critical web application vulnerabilities because it directly undermines the fundamental security boundary between authenticated and unauthenticated users. Successful exploitation grants attackers the same access as legitimate users — or administrators — without triggering authorization controls. Impact includes mass account takeover, unauthorized access to sensitive data, financial fraud, identity theft, regulatory violations (GDPR, HIPAA, PCI DSS), and reputational destruction. In enterprise environments, compromised authentication can provide the initial foothold for advanced persistent threats (APTs), enabling lateral movement, privilege escalation, and long-term data exfiltration. The 2023 Verizon Data Breach Investigations Report found that stolen credentials were involved in 49% of all data breaches.

How to Detect Broken Authentication

Monitor authentication systems for anomalous patterns: high rates of failed login attempts, successful logins from unusual geographic locations or IP addresses, simultaneous active sessions from different locations, logins outside normal business hours, and password reset requests for accounts without subsequent password changes. Implement session anomaly detection to identify stolen or forged tokens — sudden changes in user agent, IP address, or device fingerprint mid-session indicate session hijacking. Log all authentication events with contextual metadata (IP, user agent, device ID, geolocation) and implement real-time alerting on high-risk authentication patterns. Conduct regular audits of credential storage to ensure proper hashing algorithms and salt usage. Test password reset flows for information leakage and token predictability.

How to Prevent Broken Authentication

Implement multi-factor authentication (MFA) for all user accounts, especially administrative access — MFA mitigates the majority of credential-based attacks. Enforce strong password policies: minimum 12 characters, check against known breach lists (HaveIBeenPwned), and prevent common password patterns. Use bcrypt, scrypt, or Argon2id for password hashing with appropriate work factors. Implement proper session management: generate cryptographically random session tokens (minimum 128 bits of entropy), rotate tokens after authentication, set appropriate expiration times, and invalidate sessions on logout and password change. Set Secure, HttpOnly, and SameSite attributes on session cookies. Implement account lockout with exponential backoff after failed attempts. Use secure password reset flows with time-limited, single-use, cryptographically random tokens. Implement rate limiting on all authentication endpoints. Regular security testing should include authentication-specific test cases covering credential management, session handling, and authentication bypass scenarios.

Code Examples

Vulnerable: Weak session management
import hashlib
import time

# VULNERABLE: Predictable session token generation
def create_session_vulnerable(user_id):
    # Token based on timestamp + user_id — predictable!
    token = hashlib.md5(f"{time.time()}{user_id}".encode()).hexdigest()
    return token

# VULNERABLE: Session doesn't expire, no rotation
sessions = {}

def login_vulnerable(username, password):
    user = db.query("SELECT * FROM users WHERE username = %s", (username,))
    # Weak: plain comparison, no hashing
    if user and user.password == password:
        token = create_session_vulnerable(user.id)
        sessions[token] = {'user_id': user.id}  # Never expires!
        return token
    return None

Secure: Robust authentication implementation
import secrets
import bcrypt
from datetime import datetime, timedelta

SESSION_TIMEOUT = timedelta(hours=1)
MAX_FAILED_ATTEMPTS = 5
LOCKOUT_DURATION = timedelta(minutes=15)

def hash_password(password):
    """Hash password with bcrypt (work factor 12)"""
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password, hashed):
    """Constant-time password verification"""
    return bcrypt.checkpw(password.encode(), hashed)

def create_session_secure(user_id):
    """Generate cryptographically random session token"""
    token = secrets.token_urlsafe(32)  # 256 bits of entropy
    session_store.set(token, {
        'user_id': user_id,
        'created_at': datetime.utcnow(),
        'last_activity': datetime.utcnow(),
        'ip': request.remote_addr,
        'user_agent': request.headers.get('User-Agent')
    }, ex=int(SESSION_TIMEOUT.total_seconds()))
    return token

def login_secure(username, password):
    """Secure login with rate limiting and session rotation"""
    # Check account lockout
    attempts = get_failed_attempts(username)
    if attempts >= MAX_FAILED_ATTEMPTS:
        lockout_until = get_lockout_time(username)
        if datetime.utcnow() < lockout_until:
            raise AuthError('Account temporarily locked')

    user = db.query("SELECT * FROM users WHERE username = %s", (username,))
    
    # Constant-time response whether user exists or not
    if not user or not verify_password(password, user.password_hash):
        increment_failed_attempts(username)
        # Generic message — don't reveal if username exists
        raise AuthError('Invalid username or password')

    # Reset failed attempts on success
    reset_failed_attempts(username)
    
    # Invalidate any existing sessions (prevent session fixation)
    invalidate_user_sessions(user.id)
    
    # Generate new session token
    token = create_session_secure(user.id)
    
    # Audit log
    log_auth_event('login_success', user.id, request.remote_addr)
    
    return token

Secure: Session cookie configuration (Express.js)
const session = require('express-session');
const RedisStore = require('connect-redis').default;
const crypto = require('crypto');

app.use(session({
  store: new RedisStore({ client: redisClient }),
  
  // Cryptographically random secret
  secret: process.env.SESSION_SECRET,
  
  // Session configuration
  name: '__Host-sid',  // __Host- prefix enforces Secure + no Domain
  resave: false,
  saveUninitialized: false,
  
  cookie: {
    secure: true,      // HTTPS only
    httpOnly: true,     // No JavaScript access
    sameSite: 'lax',   // CSRF protection
    maxAge: 3600000,   // 1 hour expiration
    path: '/',
  },
  
  // Generate secure session IDs
  genid: () => crypto.randomBytes(32).toString('hex'),
  
  // Rolling expiration — extends on activity
  rolling: true,
}));

// Rotate session ID after authentication
app.post('/login', async (req, res) => {
  const user = await authenticate(req.body);
  if (!user) return res.status(401).json({ error: 'Invalid credentials' });

  // Regenerate session to prevent fixation
  req.session.regenerate((err) => {
    if (err) return res.status(500).json({ error: 'Session error' });
    req.session.userId = user.id;
    req.session.loginTime = Date.now();
    res.json({ success: true });
  });
});

// Proper logout — destroy session server-side
app.post('/logout', (req, res) => {
  req.session.destroy((err) => {
    res.clearCookie('__Host-sid');
    res.json({ success: true });
  });
});

Strengthen your defenses against Broken Authentication with PowerWAF.

Comprehensive web application security with WAF, rate limiting, and real-time threat monitoring.

Start Free See Documentation

Free plan spots are limited

Frequently Asked Questions

Broken authentication deals with verifying who a user is — flaws in login, session management, and credential handling. Broken access control deals with what an authenticated user is allowed to do — flaws in authorization checks, privilege enforcement, and resource access policies. Authentication answers 'Are you who you claim to be?' while access control answers 'Are you allowed to do this?' Both are critical, but broken authentication is often more severe because it can bypass all access controls by impersonating a privileged user.

MFA dramatically reduces risk but doesn't eliminate it entirely. Sophisticated attacks can bypass MFA through: real-time phishing proxies (tools like Evilginx2 that intercept MFA tokens), MFA fatigue attacks (repeatedly sending push notifications until the user approves), SIM swapping for SMS-based MFA, social engineering help desk staff to reset MFA, and exploiting session tokens after MFA is completed. Phishing-resistant MFA (FIDO2/WebAuthn hardware keys) provides the strongest protection.

Passwords must be hashed using adaptive one-way functions designed for password storage: Argon2id (recommended by OWASP), bcrypt (widely supported), or scrypt. Never use fast hashing algorithms (MD5, SHA-1, SHA-256) even with salts — they're too fast for password hashing and can be cracked at billions of attempts per second with GPUs. Use unique random salts per password (handled automatically by bcrypt/Argon2id). Set appropriate cost factors: bcrypt work factor ≥10, Argon2id with ≥19 MiB memory, ≥2 iterations.

Secure session tokens must be: generated using a cryptographically secure random number generator (CSPRNG) with at least 128 bits of entropy, transmitted only over HTTPS (Secure flag), inaccessible to JavaScript (HttpOnly flag), restricted to same-site requests (SameSite flag), rotated after authentication level changes, expired after a reasonable inactivity timeout, and invalidated server-side on logout. Avoid exposing tokens in URLs, logs, or error messages.

A WAF provides limited protection against broken authentication. It can detect and block brute force attempts, credential stuffing patterns, and some session manipulation techniques. However, broken authentication is fundamentally an application design problem — weak password policies, insecure session management, missing MFA, and credential storage flaws must be fixed in the application code. A WAF is a valuable defense layer but cannot compensate for architectural authentication weaknesses.