Broken Authentication and Session Management could lead to exposed user data, such as credentials or critical private data. It could also allow for privilege escalation attacks.
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Abusing such vulnerability, an attacker may be able to hijack user sessions and access or modify information for which he has no permission.
How to Prevent
The OWASP Cheat Sheet for Broken Authentication and Session Management states the following aspects on how to prevent misconfigurations or unsecured implementations:
- Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
- Do not ship or deploy with any default credentials, particularly for admin users.
- Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords.
- Align password length, complexity and rotation policies with NIST 800-63 B’s guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence-based password policies.
- Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
- Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
- Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
Example Attack Scenarios for Broken Authentication or Session Management
The OWASP Cheat Sheet also contains the following three attack examples:
Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protection, the application can be used as a password oracle to determine if the credentials are valid.
Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication.
Scenario #3: Application session timeouts aren’t set properly. A user uses a public computer to access an application. Instead of selecting “log out” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.
You are facing an issue that is not covered in our guides?
We are happy to include solutions here. Please send us an e-mail to firstname.lastname@example.org.
To test if your specific application is vulnerable to any of the OWASP Top 10 vulnerabilities, run an invasive scan in our Vulnerability Testing Software for free.
The content of this article is Creative Commons Attribution-ShareAlike v4.0.