保護DataHogo
Security Encyclopedia/OWASP Web Top 10
highCWE-287A07:2021

Authentication Failures

Weak authentication mechanisms allow attackers to compromise passwords, keys, or session tokens — JWT without expiration, tokens stored in localStorage, or missing MFA.

How It Works

Authentication failures encompass weaknesses in how users prove their identity. Common issues include JWTs that never expire, storing tokens in localStorage (accessible via XSS), not implementing account lockout after failed attempts, weak password policies, and missing multi-factor authentication. Attackers exploit these through credential stuffing, brute force, or token theft via XSS.

Vulnerable Code
const token = jwt.sign(
  { userId: user.id, role: user.role },
  SECRET
);
localStorage.setItem('token', token);
Secure Code
const token = jwt.sign(
  { userId: user.id, role: user.role },
  SECRET,
  { expiresIn: '1h' }
);
res.cookie('token', token, {
  httpOnly: true, secure: true, sameSite: 'strict'
});

Real-World Example

The 2012 LinkedIn breach exposed 6.5 million password hashes. The passwords were hashed with SHA1 without salting, allowing attackers to crack most of them. A subsequent discovery revealed 117 million accounts were actually compromised.

How to Prevent It

  • Set expiration on JWT tokens (1h for access, 7d for refresh)
  • Store tokens in httpOnly cookies, never localStorage
  • Implement account lockout after failed login attempts
  • Require MFA for sensitive operations

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021