OWASP_TOP10A07:2021voice-validated
OWASP_TOP10 A07: A07:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Confirmation of user identity, authentication, and session management is critical. Authentication weaknesses include permitting credential stuffing, brute force, weak passwords, missing/ineffective MFA, plain text/weakly hashed/encrypted password stores, missing or ineffective credential recovery, exposed session identifier in URL, session not invalidated after logout/idle.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1110.001 | 1. Brute force attacks exploit weak authentication, as stated in A07:2021. This technique involves systematically guessing passwords, directly targeting authentication mechanisms. Robust password policies and rate limiting are essential for EU data protection. | 100% |
| T1110.004 | 1. Credential stuffing, explicitly mentioned in A07:2021, reuses stolen credentials against new targets. This technique bypasses authentication by exploiting widespread credential reuse, posing a significant risk to EU user accounts. | 100% |
| T1550.002 | 1. Attackers use stolen credentials, potentially from "plain text/weakly hashed/encrypted password stores" (A07:2021), to move laterally. This technique exploits compromised authentication material for unauthorized access within systems. | 90% |
| T1003 | 1. Compromised "plain text/weakly hashed/encrypted password stores" (A07:2021) enable OS credential dumping. This technique extracts credentials from operating systems, facilitating further unauthorized access and undermining EU data security. | 90% |
| T1539 | 1. Exposed or uninvalidated session identifiers, as per A07:2021, allow session cookie theft. This technique enables attackers to hijack active user sessions, bypassing re-authentication and compromising user privacy. | 100% |
| T1078 | 1. Valid accounts, obtained through authentication failures like "weak passwords" or "brute force" (A07:2021), grant attackers legitimate access. This technique leverages compromised credentials for initial access and persistence, impacting EU data integrity. | 90% |
| T1098 | 1. After gaining access via authentication failures (A07:2021), attackers manipulate accounts for persistence. This technique involves modifying user accounts or creating new ones to maintain unauthorized access, a clear risk to EU systems. | 80% |
| T1056.001 | 1. Keylogging captures credentials, bypassing authentication mechanisms, especially with "weak passwords" (A07:2021). This technique directly intercepts user input, compromising login details and sensitive EU data. | 80% |
| T1566.002 | 1. Spearphishing links trick users into revealing credentials, bypassing authentication controls, as implied by A07:2021's focus on identity confirmation. This technique exploits human factors to gain initial access, threatening EU data security. | 80% |
| T1087.001 | 1. After initial authentication compromise (A07:2021), attackers discover local accounts. This technique maps out available user accounts on a system, aiding in privilege escalation and lateral movement within EU infrastructures. | 80% |
| T1087.002 | 1. Following authentication failures (A07:2021), attackers discover domain accounts. This technique identifies accounts within a domain, expanding the scope of potential compromise across interconnected EU systems. | 80% |
| T1071.001 | 1. Command and control often uses web protocols, leveraging compromised authentication (A07:2021) to blend in. This technique establishes covert communication channels, enabling further malicious activity within EU networks. | 80% |
| T1041 | 1. Data exfiltration occurs over C2 channels after authentication bypass (A07:2021). This technique involves transferring sensitive data out of a compromised network, directly impacting EU data confidentiality. | 80% |
| T1486 | 1. Data encryption for impact often follows successful authentication compromise (A07:2021). This technique renders data inaccessible, causing significant operational disruption and financial losses for EU entities. | 80% |
| T1528 | 1. Stealing application access tokens bypasses authentication, especially when session management is weak (A07:2021). This technique allows unauthorized access to applications without needing user credentials, impacting EU data security. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1032 | 1. Multi-factor authentication directly addresses "missing/ineffective MFA" in A07:2021. This mitigation significantly increases the difficulty for attackers to compromise accounts, protecting EU user identities. | 100% |
| M1027 | 1. Strong password policies counter "weak passwords" and "brute force" attacks, as highlighted in A07:2021. This mitigation enforces complexity and rotation, reducing the success rate of credential guessing for EU systems. | 100% |
| M1026 | 1. Privileged account management protects critical accounts from compromise, a key concern in A07:2021. This mitigation restricts access and monitors activity, safeguarding sensitive EU system functions. | 90% |
| M1030 | 1. Network segmentation limits the impact of authentication failures (A07:2021) by isolating compromised systems. This mitigation prevents lateral movement, containing breaches within specific network zones for EU infrastructure. | 80% |
| M1035 | 1. Strong encryption protects "plain text/weakly hashed/encrypted password stores" (A07:2021). This mitigation renders stolen credentials unusable, safeguarding EU user data even if storage is breached. | 90% |
| M1040 | 1. Disabling unnecessary features reduces attack surface related to authentication and session management (A07:2021). This mitigation removes potential vulnerabilities, enhancing the overall security posture of EU applications. | 80% |
| M1047 | 1. Auditing authentication failures and session activity detects anomalies, addressing A07:2021 concerns. This mitigation provides visibility into potential breaches, enabling timely response and protecting EU data. | 90% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 1. Improper authentication is the central vulnerability described in A07:2021. This weakness allows attackers to bypass identity verification, leading to unauthorized access and compromising EU data. | 100% |
| CWE-306 | 1. Missing authentication for critical functions, as implied by A07:2021, allows unauthorized access to sensitive operations. This weakness directly undermines security controls, posing a severe risk to EU systems. | 90% |
| CWE-307 | 1. Improper restriction of excessive authentication attempts directly enables "credential stuffing" and "brute force" attacks, as per A07:2021. This weakness allows automated attacks to succeed, compromising EU user accounts. | 100% |
| CWE-521 | 1. Weak password requirements contribute to "weak passwords" mentioned in A07:2021. This weakness makes accounts vulnerable to guessing and brute force, jeopardizing EU user data. | 100% |
| CWE-259 | 1. Use of hard-coded passwords, a form of weak password management, directly contradicts A07:2021's emphasis on secure authentication. This weakness provides attackers with static credentials, bypassing security. | 80% |
| CWE-312 | 1. Cleartext storage of sensitive information, specifically "plain text... password stores" (A07:2021), exposes credentials. This weakness allows immediate compromise of user accounts upon data breach, impacting EU privacy. | 100% |
| CWE-613 | 1. Insufficient session expiration directly relates to "session not invalidated after logout/idle" in A07:2021. This weakness allows attackers to hijack stale sessions, maintaining unauthorized access to EU systems. | 100% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0200 compute · voice-rubric self-validated