M_08/ A07:2021 — Identification & Auth Failures

Authentication Attacks

Five common attack classes on the login surface. Toggle defenses (rate limit, MFA, signed cookies, strict JWT verification) and watch the timeline collapse.

1.0 Controls

Many passwords against one account.

2.0 Attempt stream

0000msadminp0000failincorrect

3.0 Intelligence

What just happened

All attempts blocked or failed. Layered defenses (rate limit + MFA) make this attack class economically unviable for most attackers.

Logical flow

01Attacker loads a list of credentials or passwords.
02Bot pool fires login requests in parallel.
03Server checks credentials.
04Valid credentials → session issued.

Risk

Mitigated

OWASP

A07

↳ What the developer intended

Only humans with the correct password get a session.

↳ What the runtime actually executes

Without rate limiting, a bot pool can submit millions of guesses per hour and credential reuse means many will succeed.

Attack flow

Attacker

password list

Edge / WAF

rate limit, captcha

POST /login (loop)

MFA

second factor

Session

token issued

Outcome

account takeover