Category: OWASP Top Ten 2017 Category A2 - Broken Authentication
Incomplete
Summary
Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-256 | Plaintext Storage of a Password | This vulnerability occurs when an application stores user passwords as readable text instead of using secure, one-way hashing. This insecure practice exposes credentials in memory, files, or databases where attackers can easily retrieve them. |
| CWE-287 | Improper Authentication | Improper Authentication occurs when a system fails to properly verify a user's claimed identity, allowing access without sufficient proof of who they are. |
| CWE-308 | Use of Single-factor Authentication | Relying solely on single-factor authentication, like a password, exposes systems to significant security risks because it depends on only one type of proof for verifying a user's identity. |
| CWE-384 | Session Fixation | Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker who knows that session identifier to hijack the user's authenticated session. |
| CWE-522 | Insufficiently Protected Credentials | This vulnerability occurs when an application handles sensitive credentials like passwords or API keys in an insecure way, making them easy for attackers to steal during transmission or while stored. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-613 | Insufficient Session Expiration | Insufficient session expiration occurs when an application allows old session tokens or IDs to remain valid for too long, letting attackers reuse them to gain unauthorized access. |
| CWE-620 | Unverified Password Change | This vulnerability occurs when an application allows a user to set a new password without first verifying their identity through the old password or a secure secondary authentication method. |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | This vulnerability occurs when an application's password reset or recovery feature is poorly designed or implemented, allowing attackers to bypass authentication and hijack user accounts. |
| CWE-1026 | Weaknesses in OWASP Top Ten (2017) | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.