Skip to content

Broken User Authentication Analyzers

Configuration Names: BUA, BUAWeakPasswords, BUASessionIdExposure


OWASP classifies Broken User Authentication as #2 in its API Security Top 10 (API2:2019)

The BUA analyzer attempts dictionary attacks (common hard-coded passwords) on operations that is classifies as login operations.

The BUAWeakPasswords analyzer detects operations that register a user, create a user, or update a user password. BUAWeakPasswords verifies that such operations require a password value that has strong complexity.

The BUASessionIdExposure analyzer reports a finding if an operation exposes Session IDs in plain text in a response.

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-287 Allows weak passwords Application allows a client to set a password to a low-complexity value. Application should require passwords to have sufficient complexity (e.g., length, character classes). medium
CWE-798 Use of Hard-coded Credentials A password from a dictionary of common passwords was accepted by the application. Do not use hard-coded passwords in an application. high