# Authentication Failures (A07:2025)

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

## Overview

Renamed from 'Identification and Authentication Failures' for precision. This category covers weaknesses in authentication mechanisms including credential management, session handling, and identity verification.

## How Attackers Exploit This

### Credential stuffing

Attackers use lists of stolen credentials from other breaches to attempt login across many sites.

**Detection signal:** High volume of failed logins across multiple accounts from distributed sources

### Session hijacking

Session tokens are captured or predicted, allowing attackers to impersonate authenticated users.

**Detection signal:** Session tokens appearing in URLs, sessions used from unexpected locations

### Brute force attacks

Automated attempts to guess passwords through systematic trial of many possibilities.

**Detection signal:** High volume of failed login attempts against single or multiple accounts

## How to Prevent

- Implement multi-factor authentication where possible
- Do not ship or deploy with default credentials
- Implement weak password checks against common passwords
- Align password policies with modern guidelines (NIST 800-63)
- Harden registration and credential recovery against enumeration
- Limit or delay failed login attempts with proper logging
- Use secure session management with high-entropy session IDs

## CWEs with Detection Rules (8)

- **CWE-306**: Missing Authentication for Critical Function (6 rules) [python, go, typescript]
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts (5 rules) [go]
- **CWE-295**: Improper Certificate Validation (4 rules) [go, javascript, typescript, python]
- **CWE-384**: Session Fixation (3 rules) [javascript, typescript, go, python]
- **CWE-640**: Weak Password Recovery Mechanism for Forgotten Password (3 rules) [go, javascript, typescript, python]
- **CWE-287**: Improper Authentication (2 rules) [javascript, typescript, python]
- **CWE-521**: Weak Password Requirements (2 rules) [go, javascript, typescript]
- **CWE-259**: Use of Hard-coded Password (1 rules) [javascript, typescript]

## Other Mapped CWEs (13)

- CWE-255: CWE-255
- CWE-288: CWE-288
- CWE-290: CWE-290
- CWE-294: CWE-294
- CWE-297: CWE-297
- CWE-300: CWE-300
- CWE-302: CWE-302
- CWE-304: CWE-304
- CWE-346: CWE-346
- CWE-613: CWE-613
- CWE-620: CWE-620
- CWE-940: CWE-940
- CWE-1216: CWE-1216

## Quick Reference

- Total CWEs: 21
- With Shoulder rules: 8
- Detection rules: 26
- Critical rules: 2