OWASP Top 2 – Broken Authentication

owasp top 2

OWASP Top 2 vulnerability is considered as the second most used procedure to hack websites.

This type of vulnerability is widespread due to the poor design and implementation of most identity and access controls. Attackers can detect this type of vulnerability using manual procedures and exploit it using automated tools to perform brute forcing and dictionary attacks.

Most authentication attacks occur due to the continuous use of passwords as the sole factor. Rotation policies and password complexity requirements that have not been well designed are causes of this type of vulnerability, among others.

OWASP Top 2 – Anatomy of a Website Attack

Let us analyze a simple attack that breaches a website’s authentication system using OWASP-ZAP:

When connecting a website to OWASP-ZAP, we enter any username and password to get the “POST” method right after clicking “Login”:

This is the initial configuration to violate the authentication system in most web applications. Next, we add lists of words that include usernames and passwords for both parameters (USER and PASS):

Now, we are ready to find the username and password without knowing them beforehand:

OWASP-ZAP was able to identify three possible combinations that are distinguished from the rest that have a different size response:

We try the first username and password combination “admin, P4ssw0rd” and gain access to a system that we are not authorized to enter…

…and the authentication system has been compromised. This is one of the many attacks related to authentication systems.

The reasons why this type of attack succeeds:

The time-out setting is not configured correctly on many authentication systems.

Have you noticed sometimes when you enter your credentials on a website, you close the browser, and later, you reopen the website, and you are still logged on? Well, that is a timeout setting problem. Now, if you perform the same task on a public computer, the next person who sits in front of that computer could open the website and have access to all the company resources connected to that website USING YOUR PROFILE.

The username and password have never been changed since the system was installed for production.

Printers, Tomcat servers, routers, firewalls, Wi-Fi systems, etc.; this problem is especially dangerous when the system allows remote command execution on other servers such as the Jenkins application or ESET Antivirus to name a few.

Weak passwords.

When was the last time the credentials in the company’s applications were audited? Do you know all the applications that require authentication on your production system? Do you know if these applications use weak passwords? We asked about it because we have seen countless applications with the following passwords: 1234, 123456 or 654321 with default username: “Admin”.

To increase the security of a production environment, those weak passwords must be changed to more complex ones.

The system accepts INFINITE failed login attempts.

The reason why brute force attacks succeed is because administrators do not set blocking policies; without it, hackers can process countless usernames and passwords until they find the correct combination.  

This type of attack can be even more complex. There are hacking techniques that include the manipulation of session identifiers, tokens and cookies that can be used to generate unauthorized access.

How can RedDefense Global help me to make sure my systems are safe?

RedDefense Global will put your corporate websites and databases to the test. We use advanced scanners, manual penetration testing, and different techniques and procedures that may include crawling, rough tampering, code review, and folder permissions. We do all of this in coordination with your internal staff in charge of your information systems. These procedures are necessary to find out if the potential vulnerabilities are false positives or real vulnerabilities. If they are real vulnerabilities, we will provide you with effective methods to patch, update or remove the vulnerability according to the situation to keep your environment safe.

Additional resources regarding this type of attack



Vulnerabilities based on CWE Ranking.

NIST 800-63b: 5.1.1 Memorized Secrets

CWE-287: Improper Authentication

CWE-384: Session Fixation