A07: Identification and Authentication Failures

Launch a credential stuffing attack, find a valid password, and attempt to bypass MFA.

Interactive Simulation: Attack Chain

Perform a multi-stage attack from credential stuffing to login bypass.

How to Simulate

**Attack (Defense OFF):** Launch the attack. The bot finds a password. Click "Attempt Login" to succeed.
Click "Reset" and turn defense ON.
**Attack (Defense ON):** Launch the attack again. The bot finds the password.
Attempt to login. You will be prompted for MFA. Enter any code and submit 3 times to get rate-limited.

Attack Log

Awaiting attack...

Explanation

This category focuses on failures in how a system confirms user identity. Weaknesses can allow attackers to perform automated attacks like credential stuffing (trying lists of breached passwords from other sites), or brute-force attacks.

This simulation shows a full attack chain: an automated bot finds a valid password, then the attacker uses it to log in. Without defenses, this leads to immediate compromise.

Toggle Defense

Enable Account Protection Suite

This defense combines two critical controls:
- **Multi-Factor Authentication (MFA):** Requires a second verification step, so a stolen password is not enough.
- **Rate Limiting:** Blocks an IP address after too many failed login or MFA attempts, stopping automated attacks.