OWASP Top 10 : Broken Authentication

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.

OWASP Top 10 - Broken Authentication

What is a broken authentication?

Broken authentication stems from vulnerabilities in web applications that allow the attackers unauthorized access or bypass authentication, due to improper implementation of the authentication functions and session management. Attackers exploit this to compromise passwords, keys, session tokens etc., to assume other users' identities. Broken authentication is listed by OWASP as the second most commonly exploited web application vulnerability. Improper authentication (CWE-287) and the use of hard coded credentials (CWE-798) are also listed in the SANS top 25 software errors.

Types of attacks

Credential Attacks

  1. Permitting automated attacks such as bruteforce or credential stuffing from a list of usernames and passwords

  2. Plain text, weakly hashed, or common use passwords

  3. Ineffective credential recovery process

  4. Unprotected transport of credentials

Session management attacks

  1. Revealing session id in the url

  2. Application session timeouts are not properly set

  3. User session tokens are not invalidated during logout/inactive period

How does broken authentication attacks impact business?

Depending on the domain, one admin account take over can compromise the whole system.

  • Identity theft

  • Exposure of highly sensitive information such as PII, PHI

  • Leakage of legally protected data

Some organizations where broken authentication was identified

  • Shopify (session fixation attacks)

  • Citrix (password spraying)

  • Cisco ,PaloAlto Networks,F5 Networks and Pulse secure products (VPN applications improperly store session cookies in memory and /log files

How to prevent a broken authentication attack?

  • Implement MFA to prevent bruteforce, credential stuffing, stolen credentials etc.

  • Implement digital identity in accordance with NIST 800-63

  • Align password length, complexity and rotation according to NIST 800-63

  • Verify that the pathways used for account registration, credential recovery and APIs are secured against account enumeration attacks by providing generic message for all outcomes

  • Limit or delay failed login attempts by enforcing account lockouts and CAPTCHA

  • log all failures along with alerting when credential stuffing, bruteforce or other attacks are detected

  • Session token must be stored securely and should expire after a logout, idle and absolute timeouts. Use of a server side secure session manager which generates random session ID while logging

Interested in learning how to know if your organization is vulnerable to broken authentication attacks? Drop us a note now at sales@siemba.io