Broken Authentication and Session Management Vulnerabilities (A2:2017) is an OWASP listed vulnerability that recognizes the risk of credentials due to poor identity and access controls implementation.
The Online Web Application Security Project (OWASP) manages a standard awareness database listing the top ten critical security risks to web applications. These are globally recognized threats identified and updated by an open community to guide teams in creating secure applications.
But before we start:
OWASP and Session Management
The OWASP list, which is updated every two or three years, ranks security vulnerabilities based on frequency, severity, and magnitude of possible attacks and then recommends remediation techniques so that developers can build secure code.
In session management vulnerabilities, the attackers manually detect gaps in user validation and verification, then use automated tools to retrieve further information and gain deeper control of the application. Authentication and session management are crucial elements of modern application security frameworks since attackers are always looking for ways to exploit security implementation flaws to gain access.
Given modern applications’ complex and integrated nature, scanning for broken authentication and session management vulnerabilities can be a formidable task. This post introduces broken authentication and session management vulnerabilities, highlighting the best practices and tools to ensure a secure implementation.
Broken Authentication and Session Management Vulnerabilities
Exploiting a broken authentication, an attack is typically initiated by taking advantage of poorly managed credentials and login sessions to masquerade as authenticated users. This usually is related to a scenario as follows:
A session is a succession of events and transactions that are associated with the same user for a certain time frame. Once a user has logged on to a system, they are granted a unique Session ID (Cookies, URL Parameters, Authentication Tokens, etc) that allows for communication between the user and web app for the valid session. Many developers fail to develop the right parameters for sessions, making it easier for a hacker to hijack the session ID and gain unauthorized system access. Additionally, some developers fail to set time restrictions and rotation plans for sessions, allowing attackers to impersonate users already logged in to the system.
With companies moving more of their sensitive and valuable data to the cloud, hackers are increasingly targeting web applications for their attacks. As a result, broken authentication and session management vulnerabilities are considered as the Top 2 vulnerabilities on the OWASP list since using a valid user’s credentials is the easiest way for attackers to access off-limits systems.
Such attacks are also easier and more popular with modern attackers since the vulnerabilities are often neglected by software companies.
These malicious actors rely on a number of techniques to steal credentials, guess them, or deceive users into revealing them, including:
- Credential stuffing
- Password spraying
Security Assessment Level
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Examples of broken authentication and session management attacks
Once an attacker has gotten hold of a legitimate user’s credentials, they can directly access and manipulate transactions associated with the compromised account. Attackers can then orchestrate further attacks within the system without raising suspicion by the user or administrators.
Some common session management techniques that take advantage of broken authentication and session management vulnerabilities include:
Session ID Hijacking
In such an attack mechanism, attackers steal users’ valid session IDs and use them to impersonate user identities. In such instances, hackers wait till a user navigates away from their browser/device without logging out, and then continue to exploit the already established user session.
Most often, a hacker also takes advantage of session IDs that appear on the URL of the session. To do so, the attacker typically copies the session ID and uses it to log in under the same user by appending it to the HTTP request/web app’s URL.
Credential Stuffing/Brute Force Attacks
In this case, hackers try to use credential data obtained from one server to gain access to an unrelated service. Credential stuffing is often known as Brute Force Attack which has been steadily gaining traction in modern cybersecurity on account of stolen credentials. Typically, attackers combine these stolen lists of known passwords with automated bots to bypass authentication checks and masquerade as legitimate users.
Cross-Site Scripting (XSS)
XSS is a type of server-side injection attack where the hacker includes malicious code on a valid web page or application to execute compromising scripts. They typically orchestrate these attacks to transform a website’s content or redirect users to other web pages/applications running malicious code. XSS attacks enable attackers to compromise the system through:
- Cookie theft
- Trojan planting
- Identity theft
Session Fixation Attacks
In such attacks, the attacker hijacks a valid user session after a successful login tricking the user into authenticating themselves with a specified valid Session ID. When the user connects using this Session ID, the attacker uses the created session hijacking to log in to the user’s account. Hackers execute such attacks using various techniques, including:
- Adding to the session ID in the URL argument
- Hiding the session token in an illegitimate login form field
- Appending a cookie with the session ID
Additionally, you can check the OWASP Cheat Sheet listed attack examples.
Impact of Broken Authentication Attacks
Once a malicious actor gains unauthorized access to sensitive company data, they can compromise both the server and information. Some impacts of successful broken authentication and session management attacks include:
Some attackers impersonate valid users to penetrate further within the system, resulting in effects, such as:
- Generation of malicious programs resulting in network disruption
- Substandard User Experience (UX)
- Identity Theft
Depending on how sensitive the compromised data is and the level of privilege hackers obtain, broken authentication and session management attacks can create business loss through:
- Loss of critical business data
- Sharing of fraudulent emails
- Loss of reputation
- Reduced Revenues
Best practices: Preventing Broken Authentication and Session Management Attacks
While they are known and highly preventable, broken authentication and session management attacks are common due to software teams ignoring the vulnerabilities. There are also proven practices that organizations can adopt to reduce the chances of such attacks.
Following are some best practices and popular tools that can help reduce organizations’ susceptibility to session management attacks.
Best Practices to Protect Applications
While it is impractical to point out and remediate each instance of broken authentication vulnerabilities, the following minimum security measures form the foundation of successful session management:
Enable Multi-Factor Authentication
Multi-Factor Authentication (MFA) makes it harder for malicious actors to access a system by adding at least one more layer of security to the authentication process. With MFA, security teams can enable users to register an item, such as a cellphone or biometric data, then combine it with the traditional login process for stronger security checks. With MFA, software organizations can bolster application security without impacting user experience.
Implement Strong Password Policies
It is important to select an Identity and Access (IAM) management solution that helps users easily create strong, unique, and effective passwords. These platforms automatically reject weak, common passwords and follow the NIST guidelines on creating passwords that are difficult to replicate. Most trusted IAM solutions also notify administrators when weak passwords have been compromised.
Utilize Virtual Private Networks (VPNs)
VPNs greatly reduce the risk of an organization’s credentials being leaked to malicious actors by encrypting personal information, financial transactions, and web sessions. VPNs conceal the IP address of machines communicating in a session, reducing the likelihood of identity theft. With VPNs, even if hackers orchestrate a man-in-the-middle attack, it gets difficult for them to make sense of the message being transmitted.
Use a Web Application Firewall (WAF)
A Web Application Firewall helps boost application security by identifying and blocking malicious IP addresses while also scanning web traffic for threats and vulnerabilities. WAFs are highly customizable, which allows teams to create site-specific rules for their applications. A WAF is typically deployed through a reverse proxy to inspect every packet for pinpointing harmful traffic that may compromise the system.
Limit Failed Login Attempts
When implementing Brute-Force/Credential stuffing attacks, hackers are motivated by the fact that their attempts go undetected to attempt multiple logins. To mitigate such incidents, the Identity and Access management system must be configured to flag suspicious behavior and limit the number of login attempt(s).
Secure Session Access
Developers and security teams should tailor session length and parameters to the organization’s specific use case. A streaming video service, for instance, can have week-long sessions so that users don’t have to pass authentication checks every time they log in. A banking app, on the other hand, should terminate its session immediately after a customer exits since they are more likely to be hijacked.
Session IDs should also be frequently rotated and invalidated to prevent session fixation for other users. They should not be exposed in the URL (e.g., allowing URL rewriting).
Popular Tools to Prevent Broken Authentication Attacks
The prevalence of broken authentication attacks has led to the development of security tools that offer the ability to detect and remediate session management attacks. Some of the popular broken authentication prevention tools include:
Crashtest Security is an end-to-end vulnerability scanning tool that enables software firms to secure their web applications and APIs. Crashtest integrates seamlessly into modern DevOps toolchains, baking security monitoring, and vulnerability scanning into the CI/CD pipeline. With Crashtest’s continuous testing, organizations can assess their applications’ against the OWASP Top 10, including broken authentication and session management to improve their overall security posture.
HDIV is a web application security framework covering business logic flaws and security bugs throughout the Software Development Life Cycle (SDLC). HDIV employs a runtime dataflow technique to find weaknesses in application source code before hackers can exploit them. The unified web application security framework controls the flow of information between users and web browsers, evading most web risks.
Invicti (formerly NetSparker) is an automatic application security testing tool that reduces attack risk by automating testing and providing visibility. Invicti takes a dynamic and interactive approach to security testing, enabling accurate, quick, and comprehensive vulnerability scanning.
Metasploit is an open-source penetration testing solution that provides a framework for security teams to compose tests. The project started as a collection of exploits but is now a complete suite that provides advanced features for developing penetration testing tools.
Nessus is a vulnerability scanner that looks for misconfiguration, default passwords, and broken authentication vulnerabilities. The platform works on most devices, including hypervisors, databases, network devices, operating systems, and critical infrastructure. Nexxus delivers the results of scans through reports in various formats, including HTML, XML, and LaTeX, among others.
Broken authentication and session management attacks are widely popular in modern data breaches since they can impersonate a valid user and penetrate the systems for wider exploitation. Without adequate security controls, hackers rely on known mechanisms to access crucial system accounts, leading to social security fraud, money laundering, and identity theft, depending on the application’s domain.
Crashtest Security offers various tools to enable full-scale vulnerability scanning and is trusted by several software vendors and organizations globally to deploy safer web applications through vulnerability scanning and assessment. Start your 14-day trial with the suite to explore how Crashtest Security can help improve developer productivity and reduce security testing budgets.