Broken authentication and session management¶
What is Broken authentication and session management?¶
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are used by a web application.
- User authentication credentials are not protected when stored
- Predictable login credentials
- Session IDs are exposed in the URL (e.g., URL rewriting)
- Session IDs are vulnerable to session fixation attacks
- Session value does not timeout or does not get invalidated after logout
- Session IDs are not rotated after successful login
- Passwords, session IDs, and other credentials are sent over unencrypted connections.
The goal of an attack is to take over one or more accounts and for the attacker to get the same privileges as the attacked user.
Broken authentication and session management examples¶
Example #1: URL rewriting¶
A travel reservations application supports URL rewriting, putting session IDs in the URL.
http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Risk
An authenticated user of the site wants to let their friends know about the sale. The user e-mails the link above without realizing they are also giving away their session ID. When the friends use the link they use the user’s session and credit card.
Example #2: Application’s timeout is not set properly¶
The user utilizes a public computer to access a site. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and that browser is still authenticated.
Example #3: Passwords are not properly hashed and salted¶
An insider or external attacker gains access to the system’s password database. User passwords are not properly hashed and salted, exposing every user’s password.
Risk
Stored username and password values should be salted and hashed, in addition to being encrypted.