OWASP – A2 – Broken Authentication and Session Management – LSB

Threat Agents

Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

Attack Vectors

Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.


1231

Am I Vulnerable To ‘Broken Authentication and Session Management?’

Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:

    1. User authentication credentials aren’t protected when stored using hashing or encryption. See A6.


banner111

  1. Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  2. Session IDs are exposed in the URL (e.g., URL rewriting).
  3. Session IDs are vulnerable to session fixation attacks.
  4. Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  5. Session IDs aren’t rotated after successful login.
  6. Passwords, session IDs, and other credentials are sent over unencrypted connections. See A6.


extensis2

See the ASVS requirement areas V2 and V3 for more details.

How Do I Prevent ‘Broken Authentication and Session Management’?

The primary recommendation for an organization is to make available to developers:

  1. A single set of strong authentication and session management controls.Such controls should strive to:
    1. meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
    2. have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
  2. Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3.


bitsbox111

Example Attack Scenarios

Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL:

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.

Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.

Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.

References

OWASP
For a more complete set of requirements and problems to avoid in this area, see theASVS requirements areas for Authentication (V2) and Session Management (V3).

Full article:

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management


avant

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s