Broken authentication and session management in web developmentiFour Team - 26 May 2017
Today, almost every business on the globe maintains its own website for running their businesses. Most of them could be concentrating on making their websites more attractive and more appealing while at some point they forget or neglect to take safety measures for it. The minor negligence in the security measures can lead them to pay big for it. One has to take possible steps to ensure their website security.
Remember, your website is your brand, your image, and first contact with customers. If that website is not safe then your critical business can be at risk. The threats may come in many ways infecting websites with malware to spread it to site visitors. A single security breach can be a killer for a small company. Even if the security breach in small business doesn’t trigger sensitive data breach, it still can impact on customer trust in view of web development companies.
What is Broken authentication?
Authentication and Authorization are such crucial things that play a significant role in any platform. It comes under those steps which you need and ensure to take care of. The more you keep attention, the more you will be safe from vulnerability.
Broken authentication and session management is currently ranked 2nd on the OWASP top 10 vulnerabilities 2017. It is a vulnerability which allows an attacker to bypass the authentication methods to prevent the unauthorized person. There are many authentication schemes including biometric scanner, username and password, picture password, etc. Among all, the most common authentication method is to use username and password as login credentials. The Web application should protect these credentials in order to protect it from the breach. These are the ways in which a web application may fail to protect the credentials.
- Unencrypted connections
- Predictable credentials
- Session-id time-out gets fail or does not get invalidated after logout
- User authentication credentials are not protected when stored
- Session-ids are used in URL
Any information we send or receive with web application can be intercepted without our knowledge. Your password, username, or session is may be tracked somewhere.
Prevention: Enable encryption on requests that contain sensitive information
If the user sets predictable or easily guessed credentials in his account, any unauthorized user can get access to it.
Prevention: Set a password in such a way that it can’t be predicted. Users can use a combination of numbers, alphabets, and symbols.
Session-id time-out gets fail or does not get invalidated after logout
The Application does not discard the session id after some amount of time or logging out. It fails to prevent session-id value.
Prevention: Invalidate the session-id after predetermined time or log off.
User authentication credentials are not protected when stored
If the stored user credentials are stolen, then it can be used by any unauthorized entity to gain access to the system.
Prevention: All the credentials should be hashed and then stored.
Session-ids are in URL
Session id value is transmitted to a URL string where it can be visible to an attacker. It fails to protect session-id.
Prevention: Make sure all the information is sent into the body part of the post request.
How vulnerability can be compromised?
Here are some examples of weak authentication protection on one of the test web application.
The login page has not secured connection which can be known with browser notification.
System is allowing user to set password which can easily be guessed.
Login credentials are not communicated by encrypting the first. You can see password can easily be tracked.
Affected items: Login page (If breached then whole website may be at risk)
Broken authentication and session management has become a priority for software development companies to secure the system from the breach. While developing, any critical web application developers have to take authentication-related steps into consideration to protect it from the attacker. For any web application, login page is most the critical page. So, by performing some security steps for the login page, we can protect our whole web application.