A07 Identification and Authentication Failures

What this means

SiteShadow flagged authentication behavior that can lead to account takeover (weak login protections, insecure password reset, missing MFA enforcement for high-risk actions, or inconsistent session handling).

Why it matters

Authentication failures can lead to account takeover.

• Credential stuffing succeeds without throttling/lockout.
• Reset flows are a common weak link (guessable tokens, long-lived links, no re-auth).
• Session issues can make stolen tokens usable for too long (see S02 / TOK01).

Safer examples

1) Rate limit and monitor auth endpoints

• Rate limit login + password reset per IP and per account.
• Alert on spikes and suspicious patterns.

2) Harden password reset

• Use short-lived, single-use tokens.
• Don't reveal whether an account exists ("If that email exists… we sent a link.").
• Require re-auth for changing sensitive settings.

3) Use MFA for high-risk actions

At minimum: role changes, payouts/billing changes, API key creation, device/session management.

How SiteShadow detects it (high level)

• Looks for login/reset endpoints and flags missing throttling/lockout patterns.
• Flags weak or inconsistent checks around reset tokens, session rotation, and MFA enforcement.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library