Broken User Authentication Analyzers
Configuration Names: BUA, BUAWeakPasswords, BUASessionIdExposure
Description
OWASP classifies Broken User Authentication as #2 in its API Security Top 10 (API2:2019)
The BUA analyzer attempts dictionary attacks (common hard-coded passwords) on operations that is classifies as login operations.
The BUAWeakPasswords analyzer detects operations that register a user, create a user, or update a user password. BUAWeakPasswords verifies that such operations require a password value that has strong complexity.
The BUASessionIdExposure analyzer reports a finding if an operation exposes Session IDs in plain text in a response.
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-287 | Allows weak passwords | Application allows a client to set a password to a low-complexity value. | Application should require passwords to have sufficient complexity (e.g., length, character classes). | medium |
| CWE-798 | Use of Hard-coded Credentials | A password from a dictionary of common passwords was accepted by the application. | Do not use hard-coded passwords in an application. | high |