An umbrella term for vulnerabilities that can be exploited to impersonate other users online. Web applications, for example, social media platforms, require users to authenticate themselves by providing login credentials. A broken authentication attack is when an attacker uses session management weaknesses or credential management weaknesses to log in with someone’s credentials and impersonate them.
Every time a user logs in, the platform issues a session ID to track their actions and respond to requests. If a hacker steals that session ID, they can use it to impersonate the user and continue the session. The attacker then has access all information and functions that are available to the user.
During login, the user must provide the correct username and password or other information that only they would know. Due to users’ poor password management (reusing passwords, never changing them, storing them in plaintext), attackers can perform successful credential stuffing, dictionary, and phishing attacks.