OWASP A2 – Broken Authentication and Session Management

Broken Authentication and Session Management vulnerability allow’s attackers either to capture or bypass the authentication methods that are used by a web application. Impact would be severe as attacker can able to login account as normal user.

When visiting a website to access your information, you need to log in. To get past this point, you need to provide the
correct Username and Password values.Once you submit this information, a unique value called the Session ID is generated, which is linked to your credentials to keep track of you while you are logged into the application. This value is usually a string of random letters and numbers as seen at the bottom of the slide.

Possible ways of webapplication failure

• Unencrypted connections.
• Encourage users to have strong passwords.
• Expire sessions Quickly.
• Implement login rate limiting,lockout’s and Hashing passwords.
• Session ID’S used in the URL.

Unencrypted connections:

If the connection being used between you and the web application is not encrypted, anybody can see the data being
transmitted.This means that ALL INFORMATION that you are sending and receiving between you and the site can be intercepted without your knowledge.

Fails to protect the user name,password, sensitive details and session ID’s.

By enabling encryption on requests that contain sensitive data can prevent this information from being intercepted by attackers.

Encourage users to have strong passwords

Weak username and passwords are easily guessed by attackers to get unauthorized access.

We can prevent the weakness by enforcing users to have strong passwords.

Expire sessions Quickly

Application does not discard session after certain amount of time or even after logging out.

Invalidate the session ID after pre-determined time or upon logout.

Implement login rate limiting,lockout’s and Hashing passwords

If stored passwords are stolen by unauthorized individual, if no protection is given and values would be visible in plain text.

To prevent weakness stored password should be salted and hashed in addition to encryption.

Session ID Used in URL

Session ID value is transmitted in the URL where attacker can see that, which fails to protect session ID value.

To prevent the weakness Make sure the sensitive information is sent in the body part of the post request.

Let's take a look at the example URL:

http://192.168.242.137/login.jsp?sessionid=abc12345df

Along with this we conclude our coverage with A2-Broken Authentication and Session Management.

Also Read:

• A1 – SQL injection
• A3 – Cross Site Scripting
• A4 – Insecure Direct Object References
• A5 – Security Misconfiguration
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Control’
• A8 – Cross-Site Request Forgery (CSRF)
• A9 – Using Components with known Vulnerabilities
• A10 – Unvalidated Redirects and Forwards