20.3.3. Improper Authentication

20.3. Application Attacks

Improper Authentication

When an application fails to properly verify a user’s identity before allowing access to sensitive actions or data.

Examples of Improper Authentication

- Accessing authenticated pages (e.g., all_posts.php) without logging in.

- No rate limiting on OTP (One-Time Password) fields → attacker can try all 4-digit codes (brute force).

- OTPs or passwords accepted even without verifying the user.

🛡 Why is Improper Authentication dangerous?

- Can lead to account takeovers, data breaches, and unauthorized access.

🔧 Mitigations for Improper Authentication:

- Enforce authentication before access to any protected resource.

- Add rate limiting (e.g., max tries per minute).

- Use CAPTCHAs to stop bots.

- Implement Multi-Factor Authentication (MFA).

- Use trusted third-party authentication services (OAuth, SSO).

- Test regularly for authentication bypass flaws.