Broken Authentication and Session Management

An attacker can impersonate users by using leaks or flaws in the authentication management or session management functions. Poor session control, weak password recovery, insecure server transmissions, insecure storage of credentials, inadequate session timeouts etc. are some of the flaws an attacker can use to gain access to user accounts. Public exposure of such vulnerability can severely hamper the reputation of an organization.

Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL:

http://flights.com/reserve;jsessionid=2P0OC2JSHDLPSMHCJ9N2JV?dest=Bengaluru

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and his personal account details such as credit card information by impersonation.

Scenario #2: A User uses a computer in an internet café or other public area to use an internet application. Instead of selecting “logout” the user simply closes the browser tab and walks away. If an application timeout is not set on the session, Attacker can use the same browser an hour later, and that browser would be still authenticated.

Scenario #3: The Insider or external attacker gains access to the system’s password database. If an application is storing plain text passwords, the attacker could expose every user’s password on any public domain.

The following are the most obvious loopholes which can leave your application vulnerable to this threat.

  • User authentication credentials aren’t protected when stored using hashing or encryption.
  • Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  • Session IDs are exposed in the URL (e.g., URL rewriting).
  • Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  • Session IDs aren’t rotated after successful login.
  • Passwords, session IDs, and other credentials are sent over unencrypted connections.

Prevention Measures

User Logins

  • Always use encrypted forms for user login.
  • Validate form input.
  • Avoid using remember me functionality with mission critical applications.
  • Provide users with a logout button to manually terminate a session
  • Consider supporting third-party authentication providers such as Google or Facebook.

Password Policies

  • Provide two-factor authentication features
  • Expire all current sessions after changing passwords
  • Notify users of password changes via email or SMS
  • Ensure that passwords have an expiration date, and force a reset when necessary.
  • Implement strong complex password requirements

Session Control

  • Use strong random number generators to ensure you have a sufficiently long session Id
  • Store session ids in cookies and never pass them via URL parameters, hidden form fields, or custom HTTP headers
  • Use standard frameworks to handle security rather than writing your own custom session management systems
  • Set absolute time limits on session identifiers to ensure proper session expiration

**Cookie Security

  • Store session identifiers in session cookies rather than persistent cookies.
  • Set Secure cookie attribute to ensure such are transmitted over secure connections.
  • Set HttpOnly cookie to ensure scripts cannot access these cookies via DOM object.

results matching ""

    No results matching ""