Improper Authentication
Authentication is incorrectly implemented — weak password rules, accepting tokens without verifying signature, accepting empty credentials, etc.
GateTest coverage
Example
if (req.body.password == storedPassword) { ... } — timing-attackable + no rate limit + no hashing.How to fix it
Use a vetted auth library (Lucia, NextAuth, Devise, Spring Security). Hash passwords with bcrypt/argon2. Rate-limit login attempts. Verify JWT signatures and audience. authFlaws flags the common gaps.
Scan your repo for CWE-287
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-287 (Improper Authentication)?
Authentication is incorrectly implemented — weak password rules, accepting tokens without verifying signature, accepting empty credentials, etc.
How do I fix improper authentication?
Use a vetted auth library (Lucia, NextAuth, Devise, Spring Security). Hash passwords with bcrypt/argon2. Rate-limit login attempts. Verify JWT signatures and audience. authFlaws flags the common gaps.
Does GateTest detect improper authentication?
Yes — GateTest's authFlaws, secrets modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Improper Authentication in the CWE Top 25?
Improper Authentication is ranked #13 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).