Broken authentication refers to vulnerabilities in session management and credential management. Both are classified as broken authentication because attackers can use both ways to pretend to be a user.
Such vulnerabilities could allow an attacker to capture or bypass authentication methods used by a web application.
Session management
A web session is a series of network operations associated with the same user over a period of time. Modern web applications require storing information or state about each user over multiple request durations. Sessions therefore provide the ability to create variables (such as access rights) that will apply to every interaction a user has with the web application for the duration of the session.
Web applications give each user a unique session ID for each visit, allowing the web application to communicate with the user while navigating the site. These session IDs are usually included in the cookie information and URL parameters.
Broken Authentication Attacks
Session hijacking
Attackers use stolen session IDs to impersonate users. The simplest example of session stealing technique is that a user can gain unauthorized access by obtaining the session cookie in the web application.
Rewrite Session ID URL
In this scenario, a person's session ID appears in the URL of a website. Anyone can see this (for example, via sniffing methods of an unsecured Wi-Fi connection) session can be stolen.
Session Fixation
Session Pinning is an attack that allows an attacker to hijack a valid user session. The main idea of a session fixation attack is that the attacker logs on to the web server. The server identifies a session ID to the attacker. With this ID, the attacker needs to send a link to the victim, and the victim needs to click this link and communicate with the server. The server understands that the session process has already been established. Therefore, it does not need to create a new session ID. Thus, the attacker will have obtained the session of the victim user.
Credential Stuffing
When attackers access a database full of unencrypted emails and passwords, they often sell the list for other attackers to use. These attackers then use botnets for brute force attacks that test credentials stolen from a site on different accounts. This tactic usually works because people often use the same password between apps. There are currently billions of compromised credentials available to attackers.
Password Spraying
According to the researches, it has been determined that 23.2 million users' account passwords are "123456".
Starting from this, password spraying attacks are attacks that provide unauthorized access to a large number of accounts by password guessing with frequently used weak passwords.
Phishing Attacks
Attackers often steal credentials by sending users an email that appears to be from a trusted source and then tricking users into sharing their credentials or other relevant information.
35% of successful data breaches started with a phishing attack in 2019. The attackers target use different mechanisms to lure their victims through phishing.
How to avoid Broken Authentication?
- Implement multi-factor authentication to prevent automated, credential stuffing, brute-force and stolen credentials reuse attacks.
- Do not apply with any default credentials, especially for admin users.
- Test new or changed passwords against a list of 10,000 worst passwords and apply weak password checks.
- Enforce password policies, such as password length and complexity.
- Use a secure, built-in session manager on the server side that generates a new random session ID with high entropy upon new login. Session IDs should not be in the URL, they should be stored securely and should be invalidated after logout, idle and absolute timeouts.
- Limit or progressively delay failed login attempts. Log all errors and alert administrators when credential stuffing, brute force or other attacks are detected.
Source:
owasp.org
cheatsheetseries.owasp.org
scanrepeat.com
contrastsecurity.com
owasp.org
auth0.com
hdivsecurity.com/
