Deepshikha Paty
DI-ASM
What is Broken User Authentication (BUA)?
It happens when an app or API doesn’t properly check login credentials (like email & password).
This allows attackers to log in as someone else or get access they shouldn’t have.
How does it happen?
- The API only checks email, but ignores the password.
- Hackers can just guess or find someone’s email and log in without a password.
- This can lead to data leaks, changes, or full account takeover.
Example of Broken User Authentication:
- A user logs in to Instagram using valid credentials.
- After using the app, the user logs out.
- However, the next time the user opens Instagram, they are automatically logged in without being asked for credentials again.
Note
This behavior indicates broken user authentication, particularly due to improper session invalidation.
Logging out should destroy the session token or cookie associated with the user. If the session is not properly invalidated, it allows unauthorized access, violating secure authentication practices.
🎯 Why is it dangerous?
- Hackers
-can pretend to be someone else - They can steal sensitive information
- They can delete or modify user data
- They can
take control of someone’s account
✅ How to Prevent ?
- Always check both email and password.
- Use strong tokens (like JWT) for security.
- Never store passwords in plain text.
- Add features like:
- Multi-factor authentication (MFA)
- Account lockout after too many tries
- CAPTCHA to stop bots
- Never show or send passwords in the URL or request body.