Authentication Flaws Definition Authentication flaws are weaknesses in how an application verifies identity. They include weak login logic, user enumeration, broken MFA flows, password reset weaknesses, credential stuffing exposure, and flawed assumptions around session/token issuance. Why it matters Authentication is the front door to the app. When it fails, attackers often gain access before needing anything more advanced. These flaws also expand the attack surface for privilege escalation and account takeover. This note is about proving identity correctly. session-management covers what happens after login succeeds, and JWT Attacks covers token-specific failure modes rather than the broader auth flow. Attacker perspective Attackers test: - login error behavior - brute-force protections - MFA enforcement gaps - password reset and recovery flows - token issuance after partial validation - user enumeration through timing or messages Defender perspective Defenders should: - make authentication flows explicit and testable - limit brute-force and credential stuffing impact - harden password reset and recovery - treat MFA as a control with edge cases, not a magic layer - avoid leaking account existence or auth state Practical examples The app reveals whether an email exists at login. Password reset tokens are weak or never expire. MFA is enforced in the UI but not on a direct API call. Related notes session-management JWT Attacks broken-access-control client-ip-trust cookies-and-sessions References Foundational: OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html Foundational: OWASP WSTG authentication testing — https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/ Testing / Lab: PortSwigger authentication vulnerabilities — https://portswigger.net/web-security/authentication Next →Bot Detection Signals Explore nearby notes Web SecurityEvilginx and Reverse Proxy PhishingReverse-proxy phishing is an adversary-in-the-middle pattern where a phishing site proxies the real identity provider or application, relays the victim's login... Web SecurityMFA Phishing ResistanceMFA phishing resistance is the property that an authentication method cannot produce a reusable secret or valid authentication result for an impostor origin, even... Web SecurityOAuth SecurityOAuth security is the set of controls that keep OAuth/OIDC authorization flows from leaking authorization codes, tokens, identity claims, or redirect trust to the... Web SecurityBot Detection SignalsBot detection signals are the observable clues a web application or edge service uses to classify traffic as human, benign automation, suspicious automation, or... Web SecurityBroken Access ControlBroken access control happens when an application fails to enforce what a caller is allowed to access or do. Web SecurityBusiness Logic VulnerabilitiesBusiness logic vulnerabilities are flaws in the intended workflow, assumptions, invariants, or rule design of an application, where the system behaves as coded but...