Broken Authentication pretains to correct measures not taken for authentication having attacks like open and possible →
Permits to Automatered attacks such as crential stuffing.Where the attacker has a list of valid usernames and passwords.
Permits Brute force attacks or other automated attacks.
Permits default weak,or well known passwords,such as "Password1" or admin.
Uses weak or ineffective creditial recovery and frogot password processes such as knowledge based answes which cannot be made safe.
Uses plain text , encrypted , or wekly hashed passwords.
Has missing or inneffective mutifactor authentication.
Exposes Session IDs in the URL
Does not rotate SessionIDs after succesfull login.
Does not properly invalidate Session IDs User sessions or authentication tokens arent properly invalidated during logout or a period of inactivity.
We can check how this works by first trying to enter some credentials in the login form and seeing what it responds with cause sometimes it gives you extra information like is only the password wrong is the email not found etc. But the Errors should be non descriptive like Invalid Email or Password . This is Information Disclosure and something we wanna avoid its not super risky but still something we should always try to avoid now lets try to see how the Forgot Password section is and in here with this example website called OWASP JuiceBox we can see that when we go to the section and try to reset our password if we enter a invalid email the secret questions etc. don't pop up for us .
But when we try with a email that exists we just see the security question and everything pop up for us.
This is User Name Enumeration this is really bad because this method will still let you know if that email exists or not and in this case it also shows us the security question which we can try to brute force just that or perform Open Source Intelligence and try to reset their password with those techniques basically.