Insufficient Authentication

Insufficient authentication occurs when an application permits an attacker to access sensitive content or functionality without having to properly authenticate; for instance, accessing admin controls by going to the /admin directory without having to log in.

For many web applications, administrative functionality is located directly off the root directory (/admin/). This directory is typically not linked from anywhere on the website but can still be accessed using a standard web browser. Users and developers often fail to enforce authentication, never expecting anyone to view this page because of the fact it’s not linked. With this oversight, attackers simply need to visit this page to obtain complete administrative access to the website for their malicious activities.

As well as administrative access insufficient authentication may also allow an attacker to access files such as Word, Excel or PDF files. These are often stored or dynamically created in directories on the server which are not protected by an authentication process.