OWASP Top Ten – #7 Identification and Authentication Failures

woman hands on keyboard

Authentication and identification failures are once again a hot topic when it comes to web application security. Known as “broken authentication” in the 2017 OWASP Top 10 list, identification and authorization failures have fallen from #2 in 2017 to #7 in the OWASP Top 10 for 2021. That said, broken authentication is still a major issue for companies and organizations. During web application penetration tests, we will often come across authentication and authorization issues. But what are authentication and authorization, and how do they differ?

Table of Contents

Identification and Authentication vs Authorization

Identification and authentication, is the process of validating that a user is who they claim to be. This validation could be performed with one or more methods including passwords, one-time pins (via SMS or email), authenticator apps or by using biometrics.

Authorization is the process of validating that the user (who has previously been authenticated) has permission to perform a particular action. This action could be the viewing of data, or of creating/updating information.

Common identification and authentication failures

There are several different identification and authentication failures that can jeopardize the security of websites and applications. A few of the most common include:

Lack of anti-automation controls

A lack of anti-automation controls allows an attacker to continually guess passwords for user accounts until they find the correct one. This can be prevented with the use of a CAPTCHA control on the logon page. You do not need to show this for all users; it’s possible to only show it after a few authentication failures. Another common method is for the account to be locked after a certain number of failed attempts. This could be a permanent lockout, requiring the user to go through a password reset process, or a temporary timed locked.

Lack of multi-factor authentication

Should an attacker discover a users’ password, multi-factor authentication – such as a one-time code emailed to the user or by the use of an authenticator app – will deny the attacker entry to the system.

Unprotected username storage

Having the username stored in a cookie that is accessible to the client without the value being protected can also cause issues. If there is no encryption on the session ID, an attacker can change the parameter to that of another user to gain access to the system. It is advisable to only store the user details on the server and use an ID value to identify the user on the client side. The client-side session cookie should be suitably protected with the use of the HTTPOnly, Secure, and SameSite cookie attributes.

Techniques used to exploit authentication failures

Attackers use a range of techniques to exploit identification and authentication failures. These can include:

  • Brute force/credential stuffing 
  • Session hijacking
  • Session fixation
  • Cross Site Request Forgery (CSRF)
  • Execution After Redirect (EAR)

Credential stuffing

Credential stuffing uses a list of known passwords, often obtained from the dark web to attempt to determine authentic credentials and gain access. Applications that do not have automated threat or credential stuffing protections in place can be used to determine valid username/password combinations which can be then tried across different websites and applications.

Session hijacking

Session hijacking attacks happen when an attacker takes over your internet session, usually by targeting browser or web application sessions.

Generally, what happens is that a person logs into an account, typically a bank account, online store, payment portal, etc. The website then installs a temporary “session cookie” in the browser which allows the user to stay logged in and complete their business. A cyber criminal can hijack this session by gaining access to the user’s valid session, often by stealing the session ID within the session cookie. Once the true user leaves, the criminal can continue to act as the user allowing them to make transactions, steal credentials, and more.

man in front of dark computer screen

Session fixation

Session fixation attacks are similar to phishing attacks in that the victim often unsuspectingly clicks on a malicious link. With session fixation, the attack begins before a user even logs into to a site or web application. The attacker will often embed a session token into a URL, hidden form field, or cookie, logging the user into a legitimate session. They will input their credentials which will then be associated with the session ID. The attacker, knowing the session ID, can access the user’s account.

Cross Site Request Forgery (CSRF)

Cross site request forgery uses social engineering to trick the user to submitting an unwanted action or malicious request. This type of attack assumes the identity and authorization of the victim to perform actions which cannot be distinguished by the website as forged. This type of attack can use GET, POST, or other types of HTML methods to unknowingly cause the user to transfer funds, change their email address, or take other actions.

Execution After Redirect (EAR)

Execution After Redirect (EAR) attacks allow an attacker to ignore a redirect and retrieve sensitive content intended only for authenticated users. This type of attack can lead to DoS server attacks, IP address spoofing attacks, and can allow the attacker to obtain administrative functionality.


Identification and authorization failures can cause serious issues for web application developers and users. One of the best ways to ensure your applications and users remain secure is through regular web application penetration testing. At Foresite, our team of security experts have the knowledge and expertise to uncover these potential vulnerabilities helping you to create a safer, more secure environment.

Robert Newman

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.