Broken Authentication attacks aims to take over one or more accounts giving the

attacker the same privileges as the attacked user.

Authentication is "broke" when attackers are able to compromise passwords, keys or

session tokens, user account information and other details to assume user
identities

Types of Attacks:-
1) Session Hijacking :- During a session hijacking, a malicious hacker places
himself in between your computer and the website's server(Facebook for instance).
while you are engaged in an active session.
2) Session Fixation :- Session Fixation attack fixes an established sessiom on the
victim's browser.

Steps to Reproduce :-
1)
2)
3)

Risk Factors:-
1) Predictable login credentials
2) User authentication credentials that are not protected when stored
3) Session IDs exposed in the URL (e.g URL rewriting)
4) Session IDs vulnerable to session fixation attacks
5) Session value that does not time out or get invalidated after logout
6) Session IDs that are not rotated after successful login.
7) Passwords, session IDs, and other credentials sent over unencrypted connections

Prevention :-
1) Use Multifactor Authentication
2) Do not sent session id in URLs
3) Invalidate session id after logout.
4) Do not leak session token via any header
5) Limit or increasingly delay failed login attempts
6) Implement weak-password checks