Broken authentication and session management in web development
Your website is your brand, your image and first contact with customers. If that website is not safe then your critical business can be at risk. The threats may come in many ways infecting website with malware to spread it to site visitors. A single security breach can be a killer for a small company. Even if security breach in small business doesn’t trigger sensitive data breach, it still can impact on customer trust in view of
What is Broken authentication?
Broken authentication and session management is currently ranked 2nd on OWASP top 10 vulnerabilities 2017. It is a vulnerability which allows an attacker to bypass the authentication methods to prevent unauthorized person. There are many authentication schemes including biometric scanner, username and password, picture password, etc. Among all most common authentication method is to use username and password as login credentials. Web application should protect these credentials in order to protect it from breach. These are the ways in which a web application may fail to protect the credentials.
- Unencrypted connections
- Predictable credentials
- Session-id does not time out or does not get invalidated after logout
- User authentication credentials are not protected when stored
- Session-ids are used in URL
Any information we send or receive with web application can be intercepted without our knowledge. Your password, username or session is may be tracked somewhere.
Prevention: Enable encryption on requests that contain sensitive information
If user sets predictable or easily guessed credentials in his account, any unauthorized user can get the access of it.
Prevention: Set a password in such a way that it can’t be predicted. User can use a combination of numbers, alphabets and symbols.
Session-id does not time out or does not get invalidated after logout
Application does not discard the session id after some amount of time or logging out. It fails to prevent session-id value.
Prevention: Invalidate the session-id after predetermined time or log off.
User authentication credentials are not protected when stored
If the stored user credentials are stolen then it can be used by any unauthorized entity to gain the access of system.
Prevention: All the credentials should be hashed and then stored.
Session-ids are in URL
Session id value is transmitted to URL string where it can be visible to an attacker. It fails to protect session-id.
Prevention: Make sure all the information is sent into the body part of post request.
How the vulnerability can be compromised
Here are some examples of weak authentication protection on one of the test web application.
- System is allowing user to set password which can easily be guessed.
- Login credentials are not communicated by encrypting the first. You can see password can easily be tracked.
Affected items: Login page (If breached than whole website may be at risk)