A2 – Broken Authentication and Session Management
The problem here is related to identity and permissions. As the official definition states:
"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities."
This is even worse when the false authenticated users are remote (the typical case) and therefore difficult to track.
The problems here are multiple:
We might accept unwanted users (information and operation disclosure)
A variant of this is when an unwanted user gets administrator privileges, thus putting the whole system at risk
We might accept a user with credentials beyond the legitimate use of information for these credentials
Generally speaking, we can say this is a problem of impersonation or elevation of privileges (either because the attacker has no privilege at all or because it raises itself to...
