OWASP Top 10 : Broken Authentication
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - Broken Authentication
What is a broken authentication?
Broken authentication stems from vulnerabilities in web applications that allow the attackers unauthorized access or bypass authentication, due to improper implementation of the authentication functions and session management. Attackers exploit this to compromise passwords, keys, session tokens etc., to assume other users' identities. Broken authentication is listed by OWASP as the second most commonly exploited web application vulnerability. Improper authentication (CWE-287) and the use of hard coded credentials (CWE-798) are also listed in the SANS top 25 software errors.
Types of attacks
Permitting automated attacks such as bruteforce or credential stuffing from a list of usernames and passwords
Plain text, weakly hashed, or common use passwords
Ineffective credential recovery process
Unprotected transport of credentials
Session management attacks
Revealing session id in the url
Application session timeouts are not properly set
User session tokens are not invalidated during logout/inactive period
How does broken authentication attacks impact business?
Depending on the domain, one admin account take over can compromise the whole system.
Exposure of highly sensitive information such as PII, PHI
Leakage of legally protected data
Some organizations where broken authentication was identified
Shopify (session fixation attacks)
Citrix (password spraying)
Cisco ,PaloAlto Networks,F5 Networks and Pulse secure products (VPN applications improperly store session cookies in memory and /log files
How to prevent a broken authentication attack?
Implement MFA to prevent bruteforce, credential stuffing, stolen credentials etc.
Implement digital identity in accordance with NIST 800-63
Align password length, complexity and rotation according to NIST 800-63
Verify that the pathways used for account registration, credential recovery and APIs are secured against account enumeration attacks by providing generic message for all outcomes
Limit or delay failed login attempts by enforcing account lockouts and CAPTCHA
log all failures along with alerting when credential stuffing, bruteforce or other attacks are detected
Session token must be stored securely and should expire after a logout, idle and absolute timeouts. Use of a server side secure session manager which generates random session ID while logging
Interested in learning how to know if your organization is vulnerable to broken authentication attacks? Drop us a note now at email@example.com