Which of the following scenarios is most likely to result in broken authentication and session management vulnerability?

OWASP Top Ten 2017

Inhaltsverzeichnis Show

What is the OWASP Top 10?
What is Broken Authentication and Session Management?
How Can Broken Authentication and Session Management Be Exploited?
How to Protect Yourself and Your Website
Use an SSL Certificate
Implement a Web Application Firewall (WAF)
Enforce Strong Passwords

Threat Agents / Attack Vectors	Security Weakness	Impacts
App. Specific	Exploitability: 3	Prevalence: 2	Detectability: 2	Technical: 3	Business ?
Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.	The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks.	Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.

Is the Application Vulnerable?

Confirmation of the user’s identity, authentication, and session management are critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
* Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. * Permits brute force or other automated attacks. * Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin“. * Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”, which cannot be made safe.

* Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).

* Has missing or ineffective multi-factor authentication. * Exposes Session IDs in the URL (e.g., URL rewriting). * Does not rotate Session IDs after successful login.

* Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.

How to Prevent

* Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks. * Do not ship or deploy with any default credentials, particularly for admin users.

* Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords.

* Align password length, complexity and rotation policies with NIST 800-63 B’s guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence based password policies. * Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes. * Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.

* Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.

Example Attack Scenarios

Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.
Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication.
Scenario #3: Application session timeouts aren’t set properly. A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.

References

Did you know a whopping 113 million websites contain a security vulnerability? That’s approximately six percent of all websites globally.

A website vulnerability is a weakness in website code that cybercriminals can exploit to gain unauthorized access to a site—and a mere one vulnerability has the power to impact over 1,000 pages on a single website.

Let’s talk about one of the most common types of vulnerabilities on the OWASP Top 10: broken authentication and session management. Simply stated, broken authentication and session management allows a cybercriminal to steal a user’s login data, or forge session data, such as cookies, to gain access to websites.

What is the OWASP Top 10?

The OWASP Top 10, short for Open Web Application Security Project, is a list of the 10 most dangerous Web application security flaws today (including broken authentication and session management). According to owasp.org, its purpose is to drive visibility and evolution in the safety and security of the world’s software.

What is Broken Authentication and Session Management?

Many websites require users to login to access their accounts, make a purchase, etc. More often than not, this is done using a username and password. With this info, a site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server.

If not properly secured, a cybercriminal can impersonate a valid user and access that user’s account, resulting in a broken authentication and session management attack.

How Can Broken Authentication and Session Management Be Exploited?

When a visitor signs in to a website, the site uses a proprietary algorithm to generate a unique session ID. The visitor’s device then uses that session ID as a key to their identity for the remainder of their user session.

All of this information has to be sent back and forth between the visitor and the server. If that information is not encrypted and is sent as plain text instead, it’s possible for someone to intercept a visitor’s session ID and/or credentials to impersonate that same visitor. This is especially true when operating on a public network (like a coffee shop wifi) or a public computer that anyone else can access and possibly intercept.

Another approach a cybercriminal could take is attempting a brute-force attack wherein they repeatedly try common weak passwords in an effort to guess a user’s correct password. It is also possible for attackers to forge session IDs if they are not randomly generated. For example, if an attacker intercepts several legitimate session IDs that are enumerated, it is possible to guess the next legitimate session ID and access the site fraudulently. These are commonly referred to as man-in-the-middle attacks.

How to Protect Yourself and Your Website

Use an SSL Certificate

To prevent man-in-the-middle type attacks on your site’s sessions, it is important to encrypt this data in transit using an SSL certificate. As the name implies, an SSL (secure socket layer) is a digital certificate that encrypts information sent between a web server and web browser.

Use a VPN

A VPN (virtual private network) is another effective way to protect yourself from broken authentication vulnerabilities. VPNs enable users to send and receive data across shared or public networks privately.

Implement a Web Application Firewall (WAF)

You can prevent attackers from exploiting vulnerabilities or forging session IDs by using a web application firewall (WAF). A WAF is designed to scan and filter all incoming traffic to a website—it only lets good visitors in and keeps malicious ones out.

In addition, a WAF allows website owners to implement multi-factor authentication, which requires users to provide an on-demand, unique code when logging in, along with their username and password. The code itself is usually delivered via text message, making it much more difficult for a hacker to impersonate any one user or admin.

Enforce Strong Passwords

Regarding brute force attacks, mentioned earlier in this article, it’s a good practice to have access control and password policies for any and all registered users on a site (this includes admin accounts, especially!).

Strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so users’ passwords can’t be easily guessed. Minimum password lengths should also be required and users should be required to update their passwords after multiple failed login attempts are detected.

In summary, broken authentication and session management is a major security risk. It can allow a hacker to steal a user’s sensitive data, or forge session data, such as cookies, to gain unauthorized access to websites. However, there are clear and easy solutions to prevent your site from being affected by this vulnerability. Learn more about protecting your site with a web application firewall (WAF).