2013-A2-Broken Authentication and Session Management - OWASP
Learn about the critical vulnerability of broken authentication and session management in the OWASP Top 10 2013 list. Find out how attackers exploit flaws to impersonate users and gain unauthorized access.
Overview
This blog post discusses the issue of broken authentication and session management, which is listed as the second most critical vulnerability in the OWASP Top 10 2013 list. It provides an overview of the threat agents, attack vectors, security weakness, technical impacts, and business impacts associated with this vulnerability. The post also highlights the vulnerabilities commonly found in custom authentication and session management schemes, and the potential risks associated with these flaws. Furthermore, it explains how organizations can prevent such vulnerabilities and provides example attack scenarios related to broken authentication and session management.
Description
Broken authentication and session management is a critical vulnerability that can allow attackers to impersonate users and gain unauthorized access to sensitive data or perform malicious actions. This vulnerability occurs when there are leaks or flaws in the authentication or session management functions, such as exposed accounts, passwords, or session IDs. Attackers can exploit these flaws to hijack user accounts and perform actions on behalf of the legitimate user. This vulnerability is widespread and can have severe impacts on both the technical and business aspects of an application.
How to Prevent ?
To prevent broken authentication and session management vulnerabilities, organizations should implement strong authentication and session management controls. These controls should meet the requirements defined in the OWASP Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management). Additionally, efforts should be made to avoid XSS flaws, as they can be used to steal session IDs.
Example Attack Scenarios:
Scenario #1: Session ID exposure through URL rewriting: In this scenario, an authenticated user shares a URL that contains their session ID. When others access the link, they unknowingly use the same session and gain unauthorized access to the user's account, including sensitive information like credit card details.
Scenario #2: Improper session timeouts: In this scenario, a user fails to properly log out from a public computer and simply closes the browser tab. An attacker who gains access to the same browser later can still access the authenticated session, posing a security risk.
Scenario #3: Password database compromise: In this scenario, an insider or external attacker gains access to the system's password database, which contains unhashed passwords. This exposes all users' passwords to the attacker, allowing them to masquerade as any user.