Thursday, February 6, 2025
HomeOWASP - Top 10OWASP A2 - Broken Authentication and Session Management

OWASP A2 – Broken Authentication and Session Management

Published on

SIEM as a Service

Follow Us on Google News

Broken Authentication and Session Management vulnerability allow’s attackers either to capture or bypass the authentication methods that are used by a web application. Impact would be severe as attacker can able to login account as normal user.

session

When visiting a website to access your information, you need to log in. To get past this point, you need to provide the
correct Username and Password values.Once you submit this information, a unique value called the Session ID is generated, which is linked to your credentials to keep track of you while you are logged into the application. This value is usually a string of random letters and numbers as seen at the bottom of the slide.

Possible ways of webapplication failure

  • Unencrypted connections.
  • Encourage users to have strong passwords.
  • Expire sessions Quickly.
  • Implement login rate limiting,lockout’s and Hashing passwords.
  • Session ID’S used in the URL.

Unencrypted connections:

If the connection being used between you and the web application is not encrypted, anybody can see the data being
transmitted.This means that ALL INFORMATION that you are sending and receiving between you and the site can be intercepted without your knowledge.

Fails to protect the user name,password, sensitive details and session ID’s.

By enabling encryption on requests that contain sensitive data can prevent this information from being intercepted by attackers.

Encourage users to have strong passwords

Weak username and passwords are easily guessed by attackers to get unauthorized access.

We can prevent the weakness by enforcing users to have strong passwords.

Expire sessions Quickly

Application does not discard session after certain amount of time or even after logging out.

Invalidate the session ID after pre-determined time or upon logout.

Implement login rate limiting,lockout’s and Hashing passwords

If stored passwords are stolen by unauthorized individual, if no protection is given and values would be visible in plain text.

To prevent weakness stored password should be salted and hashed in addition to encryption.

Session ID Used in URL

Session ID value is transmitted in the URL where attacker can see that, which fails to protect session ID value.

To prevent the weakness Make sure the sensitive information is sent in the body part of the post request.

Let's take a look at the example URL:

http://192.168.242.137/login.jsp?sessionid=abc12345df

Along with this we conclude our coverage with A2-Broken Authentication and Session Management.

Also Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

A new wave of cyberattacks orchestrated by the North Korea-linked Lazarus Group has been...

F5 BIG-IP SNMP Flaw Allows Attackers to Launch DoS Attacks

A recently disclosed vulnerability in F5's BIG-IP systems has raised alarm within the cybersecurity...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

OWASP Smart Contract Top 10 2025 Released – What’s new!

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for...

What is XSS (Cross-Site Scripting)? – A Detailed Understanding Of the Type of XSS

XSS is a very commonly exploited vulnerability type that is very widely spread and...

Cross-Site Request Forgery (CSRF) – An OWASP Vulnerability – Detailed Explanation

Cross Site Request Forgery is one of the most common form of attack by...