1. Support Center
  2. Broken Authentication & Session Management

Broken Authentication and Session Management

Broken Authentication and Session Management could lead to exposed user data, such as credentials or critical private data. It could also allow for privilege escalation attacks.

Security Assessment

SecurityAssessment_BrokenAuthentication

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

Exploiting a broken authentication, an attack is typically initiated by taking advantage of poorly managed credentials and login sessions to masquerade as authenticated users. This usually is related to a scenario as follows:

session is a succession of events and transactions that are associated with the same user for a certain time frame. Once a user has logged on to a system, they are granted a unique Session ID (Cookies, URL Parameters, Authentication Tokens, etc) that allows for communication between the user and web app for the valid session. Many developers fail to develop the right parameters for sessions, making it easier for a hacker to hijack the session ID and gain unauthorized system access. Additionally, some developers fail to set time restrictions and rotation plans for sessions, allowing attackers to impersonate users already logged in to the system.

With companies moving more of their sensitive and valuable data to the cloud, hackers are increasingly targeting web applications for their attacks. As a result, broken authentication and session management vulnerabilities are considered as the Top 2 vulnerabilities on the OWASP list since using a valid user’s credentials is the easiest way for attackers to access off-limits systems.

Such attacks are also easier and more popular with modern attackers since the vulnerabilities are often neglected by software companies.

These malicious actors rely on a number of techniques to steal credentials, guess them, or deceive users into revealing them, including:

  • Phishing
  • Credential stuffing
  • Password spraying

Prevention Guide 

While they are known and highly preventable, broken authentication and session management attacks are common due to software teams ignoring the vulnerabilities. There are also proven practices that organizations can adopt to reduce the chances of such attacks.

Following are some best practices and popular tools that can help reduce organizations’ susceptibility to session management attacks.

Enable Multi-Factor Authentication

Multi-Factor Authentication (MFA) makes it harder for malicious actors to access a system by adding at least one more layer of security to the authentication process. With MFA, security teams can enable users to register an item, such as a cellphone or biometric data, then combine it with the traditional login process for stronger security checks. With MFA, software organizations can bolster application security without impacting user experience.

Implement Strong Password Policies

It is important to select an Identity and Access (IAM) management solution that helps users easily create strong, unique, and effective passwords. These platforms automatically reject weak, common passwords and follow the NIST guidelines on creating passwords that are difficult to replicate. Most trusted IAM solutions also notify administrators when weak passwords have been compromised. 

Utilize Virtual Private Networks (VPNs)

VPNs greatly reduce the risk of an organization’s credentials being leaked to malicious actors by encrypting personal information, financial transactions, and web sessions. VPNs conceal the IP address of machines communicating in a session, reducing the likelihood of identity theft. With VPNs, even if hackers orchestrate a man-in-the-middle attack, it gets difficult for them to make sense of the message being transmitted.

Use a Web Application Firewall (WAF)

A Web Application Firewall helps boost application security by identifying and blocking malicious IP addresses while also scanning web traffic for threats and vulnerabilities. WAFs are highly customizable, which allows teams to create site-specific rules for their applications. A WAF is typically deployed through a reverse proxy to inspect every packet for pinpointing harmful traffic that may compromise the system.

Limit Failed Login Attempts

When implementing Brute-Force/Credential stuffing attacks, hackers are motivated by the fact that their attempts go undetected to attempt multiple logins. To mitigate such incidents, the Identity and Access management system must be configured to flag suspicious behavior and limit the number of login attempt(s).

Secure Session Access

Developers and security teams should tailor session length and parameters to the organization’s specific use case. A streaming video service, for instance, can have week-long sessions so that users don’t have to pass authentication checks every time they log in. A banking app, on the other hand, should terminate its session immediately after a customer exits since they are more likely to be hijacked.

Session IDs should also be frequently rotated and invalidated to prevent session fixation for other users. They should not be exposed in the URL (e.g., allowing URL rewriting). 

For more information about Crashtest Security visit crashtest-security.com.