Overview
Learn about A01, A07, and A09 in how they relate to failures in the applied IAAA model. This TryHackMe room explores the OWASP Top 10 2025 categories that involve failures in Identification, Authentication, Authorization, and Accounting (IAAA) security controls.
The IAAA Security Model
What does IAAA stand for?
Answer: Identity, Authentication, Authorisation, Accountability
The IAAA model represents the four fundamental security controls that protect systems and data:
- Identification: Claiming an identity (username, email, etc.)
- Authentication: Proving that identity (passwords, biometrics, etc.)
- Authorization: Determining what actions are allowed for that identity
- Accounting: Tracking and logging activities for audit purposes
Failures in any of these areas can lead to severe security vulnerabilities, as covered in the OWASP Top 10 2025.
OWASP Top 10 2025 Categories Covered
A01:2025 - Broken Access Control
Broken Access Control occurs when restrictions on what authenticated users are allowed to do are not properly enforced.
- IAAA Relation: Primarily affects Authorization
- Common Issues: Privilege escalation, IDOR, insecure direct object references
- Impact: Unauthorized access to sensitive data or functionality
A07:2025 - Identification and Authentication Failures
Previously known as A02:2021 Broken Authentication, this category covers failures in authentication mechanisms.
- IAAA Relation: Affects Identification and Authentication
- Common Issues: Weak passwords, credential stuffing, session management flaws
- Impact: Account takeover and unauthorized access
A09:2025 - Security Logging and Monitoring Failures
Previously A10:2021 Insufficient Logging & Monitoring, this category covers failures in security event detection and response.
- IAAA Relation: Affects Accounting
- Common Issues: Missing logs, inadequate monitoring, delayed detection
- Impact: Undetected breaches and prolonged attacker presence
A01:2025 - Broken Access Control
What is Broken Access Control?
Broken Access Control occurs when an application does not properly restrict user access to sensitive resources or functions. This allows users to perform actions they shouldn't be authorized to do.
Common Attack Patterns
- IDOR (Insecure Direct Object References): Accessing resources by manipulating identifiers
- Privilege Escalation: Gaining higher privileges than intended
- Directory Traversal: Accessing files outside intended directories
- API Access Control: Insufficient restrictions on API endpoints
Prevention Measures
- Implement proper role-based access control (RBAC)
- Use access control lists (ACLs) for resources
- Validate user permissions on every request
- Implement the principle of least privilege
- Use centralized authorization services
Testing for Broken Access Control
- Test parameter manipulation in URLs
- Attempt horizontal privilege escalation
- Try vertical privilege escalation
- Test API endpoints with different user roles
- Check for missing authorization checks
Practical Questions
2.1 If you don't get access to more roles but can view the data of another users, what type of privilege escalation is this?
2.2 What is the note you found when viewing the user's account who had more than $ 1 million?
Answer: THM{Found.the.Millionare!}
3. What is the flag on the admin user's dashboard?
Answer: THM{Account.confusion.FTW!}
A07:2025 - Identification and Authentication Failures
Authentication vs Authorization
While often confused, authentication and authorization serve different purposes:
- Authentication: Verifies "Who you are" (login credentials)
- Authorization: Determines "What you can do" (permissions)
Common Authentication Vulnerabilities
- Weak Password Policies: No complexity requirements or length limits
- Credential Stuffing: Using breached credentials from other sites
- Session Management Issues: Predictable session IDs, long session timeouts
- Password Reset Flaws: Weak reset mechanisms
- Multi-Factor Authentication Bypass: Weak implementation or missing 2FA
Session Management Best Practices
- Use cryptographically secure random session IDs
- Implement proper session timeout policies
- Regenerate session IDs after authentication
- Use secure cookies with proper flags (HttpOnly, Secure, SameSite)
- Implement concurrent session limits
Password Security
- Enforce strong password policies
- Implement password hashing with appropriate algorithms (Argon2, bcrypt)
- Use salt and pepper for additional security
- Implement account lockout policies
- Provide secure password reset mechanisms
A09:2025 - Security Logging and Monitoring Failures
Importance of Logging
Effective logging and monitoring are crucial for:
- Detecting security incidents
- Investigating breaches
- Compliance with regulations
- Understanding attack patterns
- Improving security posture
Common Logging Failures
- Missing Logs: Important events not being logged
- Inadequate Log Detail: Insufficient information in log entries
- Log Tampering: Attackers can modify or delete logs
- No Monitoring: Logs collected but not reviewed
- Delayed Detection: Incidents not detected in time
What to Log
- All authentication attempts (successful and failed)
- Authorization failures and privilege changes
- Input validation failures
- Session management events
- Server-side errors and exceptions
- High-value business logic events
Log Management Best Practices
- Use structured logging formats (JSON, CEF)
- Implement log rotation and retention policies
- Protect logs from tampering (immutable storage)
- Implement real-time monitoring and alerting
- Use SIEM systems for log correlation
- Regular log review and analysis
Practical Questions
4.1 It looks like an attacker tried to perform a brute-force attack, what is the IP of the attacker?
4.2 Looks like they were able to gain access to an account! What is the username associated with that account?
4.3 What action did the attacker try to do with the account? List the endpoint the accessed.
Answer: /supersecretadminstuff
IAAA Model in Practice
Identification Failures
- Weak username policies
- Missing user enumeration protection
- Predictable user identifiers
- Information disclosure in error messages
Authentication Failures
- Weak password requirements
- Missing rate limiting on login attempts
- Vulnerable password storage
- Session fixation vulnerabilities
- Weak or missing MFA implementation
Authorization Failures
- Missing access controls
- Insecure direct object references
- Privilege escalation vulnerabilities
- Missing function-level authorization
- Over-privileged default accounts
Accounting Failures
- Insufficient audit logging
- Missing security event monitoring
- No intrusion detection capabilities
- Lack of incident response procedures
- Poor log retention and analysis
Practical Examples
Broken Access Control Example
# Vulnerable URL pattern
/user/profile?id=123
# Attacker can access other users' profiles by changing the ID
/user/profile?id=124
/user/profile?id=125
Authentication Failure Example
# Weak session management
Set-Cookie: session_id=123456; Path=/; HttpOnly
# Predictable session IDs can be brute-forced
Set-Cookie: session_id=123457; Path=/; HttpOnly
Set-Cookie: session_id=123458; Path=/; HttpOnly
Logging Failure Example
# Missing critical security events
[INFO] User login successful: admin
[INFO] File uploaded: document.pdf
# No logging of failed authentication attempts
# No logging of authorization failures
Testing Methodology
Authentication Testing
- Test for weak password policies
- Attempt credential stuffing attacks
- Test session management weaknesses
- Check for password reset vulnerabilities
- Verify MFA implementation strength
Authorization Testing
- Test for IDOR vulnerabilities
- Attempt privilege escalation
- Test access to restricted resources
- Verify role-based access controls
- Check for missing authorization checks
Logging Testing
- Review what events are logged
- Test log tampering prevention
- Verify log retention policies
- Check monitoring and alerting
- Assess incident response capabilities
OWASP Testing Guide References
- OTG-AUTHN-001: Testing for Credentials Transported over an Encrypted Channel
- OTG-AUTHN-002: Testing for Default Credentials
- OTG-AUTHN-003: Testing for Weak Lock Out Mechanism
- OTG-AUTHZ-001: Testing Directory Traversal File Include
- OTG-AUTHZ-002: Testing for Bypassing Authorization Schema
- OTG-AUTHZ-003: Testing for Privilege Escalation
Defense in Depth
Multi-Layer Security
- Network Layer: Firewalls, network segmentation
- Application Layer: Input validation, secure coding
- Data Layer: Encryption, access controls
- Monitoring Layer: Logging, alerting, SIEM
- Response Layer: Incident response, forensics
Zero Trust Architecture
- Never trust, always verify
- Implement least privilege access
- Use micro-segmentation
- Continuous authentication and authorization
- Comprehensive logging and monitoring
Industry Standards and Compliance
Relevant Standards
- OWASP Top 10: Web application security standard
- NIST SP 800-63: Digital identity guidelines
- ISO 27001: Information security management
- PCI DSS: Payment card industry standards
- HIPAA: Healthcare data protection
Compliance Requirements
- Multi-factor authentication for privileged accounts
- Regular access reviews and audits
- Comprehensive security logging
- Incident response planning
- Regular security assessments
Tools and Resources
Testing Tools
- Burp Suite: Web application testing and authentication testing
- OWASP ZAP: Automated security scanning
- Postman: API testing and authorization checks
- Dirbuster/Gobuster: Directory enumeration and access control testing
- Hydra: Password cracking and brute force testing
Monitoring Tools
- ELK Stack: Log aggregation and analysis
- Splunk: Security information and event management
- OSSEC: Host-based intrusion detection
- Fail2Ban: Automated response to suspicious activity
Resources
- OWASP Cheat Sheet Series: Security best practices
- OWASP Testing Guide: Comprehensive testing methodology
- MITRE ATT&CK: Adversarial tactics and techniques
- CIS Controls: Security configuration guidelines
Real-World Impact
IAAA failures are responsible for the majority of data breaches:
- Financial Impact: Billions lost annually to authentication failures
- Data Breaches: 80% involve weak or stolen credentials
- Compliance Violations: GDPR, CCPA, and other privacy regulations
- Reputational Damage: Loss of customer trust and business relationships
Lessons Learned
- IAAA controls must work together as a cohesive security model
- Authentication alone is insufficient without proper authorization
- Logging and monitoring are essential for detection and response
- Security is not a one-time implementation but ongoing maintenance
- Defense in depth provides multiple layers of protection
- Regular testing and validation are crucial for security effectiveness
- User education complements technical controls
- Compliance standards provide valuable security guidance