Broken Authentication and Insecure Deserialization
Explore how weak session management, credential stuffing, and insecure deserialization vulnerabilities allow attackers to hijack accounts and execute code.
What Is Broken Authentication?
Broken authentication refers to weaknesses in how an application verifies user identity and manages sessions. When authentication is broken, attackers can compromise passwords, keys, or session tokens to assume other users' identities. This OWASP Top 10 category covers a wide range of flaws: weak credentials, poor session management, missing MFA, and insecure credential storage.
Credential Stuffing and Password Spraying
Credential stuffing uses large lists of breached username/password pairs from prior data breaches and tries them against other sites, exploiting password reuse. Password spraying takes the opposite approach: try a small set of common passwords (e.g., Password1!) against many accounts to avoid account lockout thresholds. Both attacks succeed because of weak password policies and lack of MFA.
# Password spraying concept (defensive awareness)
# Attacker tries 'Password1!' against 10,000 accounts
# rather than trying 10,000 passwords against 1 account
# This avoids triggering lockout policies (e.g., 5 attempts/account)
# Defense: MFA + adaptive authentication + rate limitingAll lessons in this course
- SQL Injection and Command Injection
- Cross-Site Scripting (XSS) and CSRF
- Broken Authentication and Insecure Deserialization
- Secure SDLC, SAST, and DAST Tools