MatterAI Documentation | Universal AI Super Intelligence

Authentication Vulnerabilities Overview

Authentication is the process of verifying that users are who they claim to be. Authentication vulnerabilities can allow attackers to bypass this verification process, impersonate legitimate users, and gain unauthorized access to systems and data.These vulnerabilities often arise from poor implementation of authentication mechanisms, weak credential management, or flawed authentication workflows. When exploited, they can lead to account takeover, data breaches, privilege escalation, and other serious security incidents.

Weak Password Policies

// Anti-pattern: Weak password requirements
function validatePassword(password) {
  return password.length >= 6;
}

// Better approach: Comprehensive password policy
function validatePassword(password) {
  // At least 12 characters
  if (password.length < 12) return false;
  
  // Check for uppercase, lowercase, numbers, and special characters
  const hasUppercase = /[A-Z]/.test(password);
  const hasLowercase = /[a-z]/.test(password);
  const hasNumbers = /[0-9]/.test(password);
  const hasSpecial = /[!@#$%^&*(),.?":{}|<>]/.test(password);
  
  return hasUppercase && hasLowercase && hasNumbers && hasSpecial;
}

Weak password policies allow users to create passwords that are easily guessable or vulnerable to brute force attacks. This significantly reduces the security of the authentication system.To implement strong password policies:

Require a minimum length (at least 12 characters)
Require a mix of character types (uppercase, lowercase, numbers, special characters)
Check passwords against lists of commonly used or compromised passwords
Encourage the use of passphrases
Consider implementing password strength meters

Plaintext Password Storage

// Anti-pattern: Storing passwords in plaintext
function createUser(username, password) {
  const query = `INSERT INTO users (username, password) VALUES ('${username}', '${password}')`;
  return db.execute(query);
}

// Better approach: Hashing passwords with a strong algorithm and salt
async function createUser(username, password) {
  const salt = await bcrypt.genSalt(12);
  const hashedPassword = await bcrypt.hash(password, salt);
  const query = `INSERT INTO users (username, password) VALUES ('${username}', '${hashedPassword}')`;
  return db.execute(query);
}

Storing passwords in plaintext is one of the most dangerous security practices. If an attacker gains access to the database, they immediately have access to all user credentials.To properly store passwords:

Never store passwords in plaintext
Use strong, slow hashing algorithms designed for password storage (bcrypt, Argon2, PBKDF2)
Use a unique salt for each password
Implement key stretching with an appropriate work factor
Regularly update hashing algorithms as stronger ones become available

Insecure Authentication Protocols

// Anti-pattern: Using basic authentication over HTTP
app.get('/api/data', (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) {
    res.setHeader('WWW-Authenticate', 'Basic');
    return res.status(401).send('Authentication required');
  }
  // Process basic auth header...
});

// Better approach: Using secure protocols and tokens
app.get('/api/data', authenticateJWT, (req, res) => {
  // User is authenticated via JWT
  // Process request...
});

Insecure authentication protocols transmit credentials in an easily interceptable format or are vulnerable to various attacks.To implement secure authentication protocols:

Always use HTTPS for transmitting credentials
Prefer token-based authentication (JWT, OAuth) over basic authentication
Implement proper token validation and expiration
Use secure cookie attributes (HttpOnly, Secure, SameSite)
Consider implementing multi-factor authentication

Insufficient Brute Force Protection

// Anti-pattern: No brute force protection
async function login(username, password) {
  const user = await db.getUser(username);
  if (!user) return null;
  
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (passwordMatch) return user;
  
  return null;
}

// Better approach: Implementing rate limiting and account lockout
async function login(username, password) {
  // Check for too many failed attempts
  const attempts = await getLoginAttempts(username);
  if (attempts >= MAX_ATTEMPTS) {
    throw new Error('Account temporarily locked due to too many failed attempts');
  }
  
  const user = await db.getUser(username);
  if (!user) {
    await recordFailedAttempt(username);
    return null;
  }
  
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (passwordMatch) {
    await resetLoginAttempts(username);
    return user;
  }
  
  await recordFailedAttempt(username);
  return null;
}

Without brute force protection, attackers can make unlimited login attempts to guess passwords through automated tools.To implement brute force protection:

Implement rate limiting on authentication endpoints
Use progressive delays between login attempts
Implement temporary account lockouts after multiple failed attempts
Consider using CAPTCHA for suspicious login attempts
Log and alert on unusual authentication patterns

Insecure Password Recovery

// Anti-pattern: Insecure password recovery
app.post('/forgot-password', async (req, res) => {
  const { email } = req.body;
  const user = await db.getUserByEmail(email);
  if (!user) return res.status(200).send('If your email exists, you will receive a reset link');
  
  // Generate a simple token
  const token = Math.random().toString(36).substring(2, 15);
  await db.storeResetToken(user.id, token);
  
  // Send email with reset link
  sendEmail(email, `Reset your password by clicking: https://example.com/reset?token=${token}`);
  
  res.status(200).send('If your email exists, you will receive a reset link');
});

// Better approach: Secure password recovery
app.post('/forgot-password', async (req, res) => {
  const { email } = req.body;
  const user = await db.getUserByEmail(email);
  if (!user) return res.status(200).send('If your email exists, you will receive a reset link');
  
  // Generate a secure token
  const token = crypto.randomBytes(32).toString('hex');
  const expiry = new Date(Date.now() + 3600000); // 1 hour from now
  await db.storeResetToken(user.id, token, expiry);
  
  // Send email with reset link
  sendEmail(email, `Reset your password by clicking: https://example.com/reset?token=${token}&email=${encodeURIComponent(email)}`);
  
  res.status(200).send('If your email exists, you will receive a reset link');
});

Insecure password recovery mechanisms can be exploited to take over user accounts without knowing the original password.To implement secure password recovery:

Use cryptographically secure tokens with sufficient entropy
Set short expiration times for reset tokens
Implement one-time use tokens
Verify the user’s identity through multiple factors when possible
Don’t reveal whether an email exists in the system
Log and notify users about password reset attempts

Session Fixation

// Anti-pattern: Vulnerable to session fixation
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const user = authenticate(username, password);
  if (user) {
    // Using the same session ID after authentication
    req.session.userId = user.id;
    return res.redirect('/dashboard');
  }
  res.render('login', { error: 'Invalid credentials' });
});

// Better approach: Regenerating session ID after authentication
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  const user = authenticate(username, password);
  if (user) {
    // Regenerate session to prevent fixation
    req.session.regenerate((err) => {
      if (err) return res.status(500).send('Error during login');
      req.session.userId = user.id;
      return res.redirect('/dashboard');
    });
  } else {
    res.render('login', { error: 'Invalid credentials' });
  }
});

Session fixation occurs when an attacker sets a user’s session ID to one known to the attacker, allowing them to hijack the session after the user authenticates.To prevent session fixation:

Generate a new session identifier after authentication
Invalidate the old session when a user logs in
Use secure, HttpOnly, and SameSite cookies for session management
Implement proper session timeout and expiration
Validate the session against stored user information

Insecure Credential Transmission

// Anti-pattern: Transmitting credentials over HTTP
const loginForm = document.getElementById('login-form');
loginForm.addEventListener('submit', (e) => {
  e.preventDefault();
  const username = document.getElementById('username').value;
  const password = document.getElementById('password').value;
  
  fetch('http://example.com/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ username, password })
  });
});

// Better approach: Using HTTPS and secure headers
const loginForm = document.getElementById('login-form');
loginForm.addEventListener('submit', (e) => {
  e.preventDefault();
  const username = document.getElementById('username').value;
  const password = document.getElementById('password').value;
  
  fetch('https://example.com/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ username, password })
  });
});

// Server-side configuration
app.use(helmet()); // Adds security headers
app.use(helmet.hsts({ maxAge: 15552000 })); // Strict Transport Security

Insecure credential transmission exposes authentication data to interception by attackers through network sniffing or man-in-the-middle attacks.To secure credential transmission:

Always use HTTPS for all authentication-related traffic
Implement HTTP Strict Transport Security (HSTS)
Use secure cookies with the Secure flag
Avoid transmitting credentials in URLs
Consider using client-side hashing before transmission (though not as a replacement for HTTPS)

Missing Multi-Factor Authentication

// Anti-pattern: Single-factor authentication only
async function login(email, password) {
  const user = await db.getUserByEmail(email);
  if (!user) return null;
  
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (passwordMatch) return user;
  
  return null;
}

// Better approach: Implementing multi-factor authentication
async function login(email, password, otpCode) {
  const user = await db.getUserByEmail(email);
  if (!user) return null;
  
  // First factor: password
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (!passwordMatch) return null;
  
  // Second factor: OTP
  if (user.mfaEnabled) {
    const otpValid = verifyOTP(user.otpSecret, otpCode);
    if (!otpValid) return null;
  }
  
  return user;
}

Relying solely on passwords for authentication leaves systems vulnerable to credential theft, phishing, and brute force attacks.To implement multi-factor authentication:

Offer multiple types of second factors (TOTP, SMS, email, push notifications, hardware keys)
Implement secure enrollment and recovery processes
Allow users to manage their MFA settings
Provide backup methods for account recovery
Consider risk-based authentication for sensitive operations

Insecure OAuth Implementation

// Anti-pattern: Insecure OAuth implementation
app.get('/auth/callback', (req, res) => {
  const { code } = req.query;
  
  // Missing state parameter validation
  axios.post('https://oauth-provider.com/token', {
    code,
    client_id: 'my-client-id',
    client_secret: 'my-client-secret',
    redirect_uri: 'https://myapp.com/auth/callback',
    grant_type: 'authorization_code'
  }).then(response => {
    const { access_token } = response.data;
    // Use access token...
  });
});

// Better approach: Secure OAuth implementation
app.get('/auth/oauth', (req, res) => {
  const state = crypto.randomBytes(16).toString('hex');
  req.session.oauthState = state;
  
  const authUrl = new URL('https://oauth-provider.com/authorize');
  authUrl.searchParams.append('client_id', 'my-client-id');
  authUrl.searchParams.append('redirect_uri', 'https://myapp.com/auth/callback');
  authUrl.searchParams.append('response_type', 'code');
  authUrl.searchParams.append('state', state);
  authUrl.searchParams.append('scope', 'profile email');
  
  res.redirect(authUrl.toString());
});

app.get('/auth/callback', (req, res) => {
  const { code, state } = req.query;
  
  // Validate state parameter to prevent CSRF
  if (!state || state !== req.session.oauthState) {
    return res.status(403).send('Invalid state parameter');
  }
  
  // Exchange code for token
  axios.post('https://oauth-provider.com/token', {
    code,
    client_id: 'my-client-id',
    client_secret: 'my-client-secret',
    redirect_uri: 'https://myapp.com/auth/callback',
    grant_type: 'authorization_code'
  }).then(response => {
    const { access_token, id_token } = response.data;
    
    // Validate tokens and extract user information
    // ...
  });
});

Insecure OAuth implementations can lead to various vulnerabilities, including CSRF attacks, token leakage, and account takeover.To implement OAuth securely:

Always use the state parameter to prevent CSRF attacks
Validate redirect URIs
Use PKCE (Proof Key for Code Exchange) for public clients
Securely store client secrets
Validate tokens properly
Implement proper scope handling

Hardcoded Credentials

// Anti-pattern: Hardcoded credentials
public class DatabaseConnector {
    private static final String DB_USERNAME = "admin";
    private static final String DB_PASSWORD = "super_secret_password";
    
    public Connection getConnection() {
        return DriverManager.getConnection(
            "jdbc:mysql://localhost:3306/mydb",
            DB_USERNAME,
            DB_PASSWORD
        );
    }
}

// Better approach: Using environment variables or secure configuration
public class DatabaseConnector {
    public Connection getConnection() {
        String username = System.getenv("DB_USERNAME");
        String password = System.getenv("DB_PASSWORD");
        
        if (username == null || password == null) {
            throw new IllegalStateException("Database credentials not configured");
        }
        
        return DriverManager.getConnection(
            "jdbc:mysql://localhost:3306/mydb",
            username,
            password
        );
    }
}

Hardcoded credentials in source code are easily discoverable, especially in open-source projects or when source code is leaked.To avoid hardcoded credentials:

Use environment variables for sensitive configuration
Implement a secure configuration management system
Use secrets management services
Implement proper access controls for configuration files
Regularly rotate credentials

Insufficient Logging and Monitoring

// Anti-pattern: Insufficient authentication logging
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = await authenticate(username, password);
  
  if (user) {
    req.session.userId = user.id;
    return res.redirect('/dashboard');
  }
  
  return res.render('login', { error: 'Invalid credentials' });
});

// Better approach: Comprehensive authentication logging
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const ip = req.ip;
  const userAgent = req.headers['user-agent'];
  
  try {
    const user = await authenticate(username, password);
    
    if (user) {
      req.session.userId = user.id;
      logger.info('Successful login', {
        userId: user.id,
        username,
        ip,
        userAgent,
        timestamp: new Date().toISOString()
      });
      return res.redirect('/dashboard');
    }
    
    logger.warn('Failed login attempt', {
      username,
      ip,
      userAgent,
      timestamp: new Date().toISOString()
    });
    
    return res.render('login', { error: 'Invalid credentials' });
  } catch (error) {
    logger.error('Login error', {
      username,
      ip,
      userAgent,
      error: error.message,
      timestamp: new Date().toISOString()
    });
    return res.status(500).render('error');
  }
});

Insufficient logging and monitoring of authentication events makes it difficult to detect and respond to security incidents.To implement proper authentication logging:

Log all authentication events (successful and failed)
Include relevant context (IP, user agent, timestamp)
Implement centralized log collection and analysis
Set up alerts for suspicious authentication patterns
Ensure logs are tamper-resistant
Retain logs for an appropriate period

Default or Weak Credentials

// Anti-pattern: Using default credentials
const defaultAdminUser = {
  username: 'admin',
  password: 'admin123',
  role: 'admin'
};

async function initializeDatabase() {
  const adminExists = await db.getUserByUsername('admin');
  if (!adminExists) {
    await db.createUser(defaultAdminUser);
  }
}

// Better approach: Requiring secure credentials on setup
async function initializeDatabase() {
  const adminExists = await db.getUserByUsername('admin');
  if (!adminExists) {
    // Require admin to set credentials during first-time setup
    app.use('/setup', setupRouter);
  }
}

const setupRouter = express.Router();
setupRouter.get('/', (req, res) => {
  res.render('setup');
});

setupRouter.post('/', async (req, res) => {
  const { username, password } = req.body;
  
  // Validate password strength
  if (!isStrongPassword(password)) {
    return res.render('setup', { error: 'Password does not meet security requirements' });
  }
  
  // Create admin user with secure credentials
  await db.createUser({ username, password, role: 'admin' });
  
  // Disable setup route
  app.use('/setup', (req, res) => res.redirect('/'));
  
  res.redirect('/login');
});

Default or weak credentials are a common entry point for attackers, especially in systems that are publicly accessible.To avoid default or weak credentials:

Never ship software with default credentials
Require users to set strong passwords during initial setup
Implement password strength validation
Regularly audit for weak credentials
Consider implementing credential rotation policies

Insecure Remember Me Functionality

// Anti-pattern: Insecure "Remember Me" implementation
app.post('/login', (req, res) => {
  const { username, password, rememberMe } = req.body;
  const user = authenticate(username, password);
  
  if (user) {
    req.session.userId = user.id;
    
    if (rememberMe) {
      // Insecure: Using only user ID in the cookie
      res.cookie('rememberMe', user.id, { maxAge: 30 * 24 * 60 * 60 * 1000 });
    }
    
    return res.redirect('/dashboard');
  }
  
  return res.render('login', { error: 'Invalid credentials' });
});

// Better approach: Secure "Remember Me" implementation
app.post('/login', async (req, res) => {
  const { username, password, rememberMe } = req.body;
  const user = authenticate(username, password);
  
  if (user) {
    req.session.userId = user.id;
    
    if (rememberMe) {
      // Generate a secure token
      const token = crypto.randomBytes(32).toString('hex');
      const selector = crypto.randomBytes(16).toString('hex');
      
      // Store token hash in the database
      const hashedToken = await bcrypt.hash(token, 10);
      await db.storeRememberMeToken({
        userId: user.id,
        selector,
        token: hashedToken,
        expires: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000)
      });
      
      // Set cookie with selector and token
      res.cookie('rememberMe', `${selector}:${token}`, {
        httpOnly: true,
        secure: process.env.NODE_ENV === 'production',
        sameSite: 'strict',
        maxAge: 30 * 24 * 60 * 60 * 1000
      });
    }
    
    return res.redirect('/dashboard');
  }
  
  return res.render('login', { error: 'Invalid credentials' });
});

Insecure “Remember Me” functionality can lead to persistent authentication vulnerabilities and account takeover.To implement secure “Remember Me” functionality:

Use cryptographically secure tokens
Store only token hashes in the database
Implement proper token expiration
Use secure, HttpOnly, and SameSite cookies
Provide users with the ability to view and revoke persistent sessions
Automatically invalidate tokens when users change passwords

Insecure Account Recovery Questions

// Anti-pattern: Using common security questions
app.post('/setup-recovery', (req, res) => {
  const { userId, question, answer } = req.body;
  
  // Using common questions with easily discoverable answers
  db.storeSecurityQuestion(userId, question, answer);
  
  res.redirect('/account-settings');
});

// Better approach: More secure account recovery
app.post('/setup-recovery', async (req, res) => {
  const { userId, question, answer } = req.body;
  
  // Validate question is not from a list of weak questions
  if (isWeakQuestion(question)) {
    return res.render('setup-recovery', { error: 'Please choose a stronger security question' });
  }
  
  // Hash the answer
  const hashedAnswer = await bcrypt.hash(answer.toLowerCase().trim(), 10);
  
  // Store the question and hashed answer
  db.storeSecurityQuestion(userId, question, hashedAnswer);
  
  res.redirect('/account-settings');
});

// Verification
app.post('/verify-recovery', async (req, res) => {
  const { userId, answer } = req.body;
  
  const securityQuestion = await db.getSecurityQuestion(userId);
  
  // Compare with hashed answer
  const isCorrect = await bcrypt.compare(answer.toLowerCase().trim(), securityQuestion.hashedAnswer);
  
  if (isCorrect) {
    // Generate password reset token
    // ...
  } else {
    res.render('verify-recovery', { error: 'Incorrect answer' });
  }
});

Security questions often rely on information that can be easily researched or guessed, making them a weak form of authentication.To implement more secure account recovery:

Avoid common security questions with easily discoverable answers
Allow users to create their own questions
Store answers as hashed values, not plaintext
Consider alternative recovery methods (email, phone, backup codes)
Implement multi-step recovery processes
Rate-limit recovery attempts

Missing Account Lockout

// Anti-pattern: No account lockout mechanism
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = await db.getUserByUsername(username);
  
  if (!user) {
    return res.render('login', { error: 'Invalid credentials' });
  }
  
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (passwordMatch) {
    req.session.userId = user.id;
    return res.redirect('/dashboard');
  }
  
  return res.render('login', { error: 'Invalid credentials' });
});

// Better approach: Implementing account lockout
app.post('/login', async (req, res) => {
  const { username, password } = req.body;
  const user = await db.getUserByUsername(username);
  
  if (!user) {
    // Use constant-time response for non-existent users
    await bcrypt.compare(password, '$2a$10$invalidhashvalue');
    return res.render('login', { error: 'Invalid credentials' });
  }
  
  // Check if account is locked
  if (user.lockedUntil && user.lockedUntil > new Date()) {
    return res.render('login', {
      error: 'Account is temporarily locked. Please try again later or reset your password.'
    });
  }
  
  const passwordMatch = await bcrypt.compare(password, user.password);
  if (passwordMatch) {
    // Reset failed attempts on successful login
    await db.resetFailedAttempts(user.id);
    req.session.userId = user.id;
    return res.redirect('/dashboard');
  }
  
  // Increment failed attempts
  const updatedUser = await db.incrementFailedAttempts(user.id);
  
  // Lock account after too many failed attempts
  if (updatedUser.failedAttempts >= MAX_FAILED_ATTEMPTS) {
    const lockUntil = new Date(Date.now() + LOCK_DURATION);
    await db.lockAccount(user.id, lockUntil);
  }
  
  return res.render('login', { error: 'Invalid credentials' });
});

Without account lockout mechanisms, attackers can make unlimited attempts to guess passwords through automated tools.To implement account lockout:

Lock accounts after a specified number of failed login attempts
Implement temporary lockouts with increasing durations
Provide alternative recovery methods for legitimate users
Log and alert on account lockouts
Consider implementing progressive security measures instead of hard lockouts
Use CAPTCHA or other verification methods after a few failed attempts

Introduction

Getting Started

Axon APIs

Cortex Features

Patterns

Integrations

Enterprise

Authentication Vulnerabilities