OWASP Top Ten 2017 | A2:2017-Broken Authentication
Gain insights into the risks posed by Broken Authentication in applications and learn effective prevention methods. Explore attack scenarios and prevention measures.
Overview
Broken Authentication is a security weakness that allows attackers to gain unauthorized access to an application by exploiting vulnerabilities in the authentication and session management mechanisms. This can lead to severe consequences such as money laundering, fraud, identity theft, and disclosure of sensitive information.
Description
Broken Authentication is a prevalent issue in many applications due to the design and implementation of identity and access controls. Attackers can use various techniques such as credential stuffing, brute force attacks, and session management exploits to gain unauthorized access. This vulnerability can be exploited by exploiting weak passwords, default or well-known credentials, ineffective multi-factor authentication, and session management flaws.
How to Prevent ?
To prevent Broken Authentication vulnerabilities, it is recommended to implement strong authentication mechanisms such as multi-factor authentication. Other prevention measures include avoiding the use of default or weak credentials, enforcing password complexity and rotation policies, using secure session management techniques, and properly invalidating session IDs. Regular monitoring and logging of failed login attempts can help detect and mitigate authentication attacks.
Example Attack Scenarios:
Scenario 1: Credential Stuffing: In this attack scenario, an attacker uses lists of known passwords to perform credential stuffing. By sending multiple login requests with different username and password combinations, the attacker can determine valid credentials. Applications without automated threat or credential stuffing protections are vulnerable to this attack.
Scenario 2: Weak Password Practices: Many authentication attacks occur due to the continued use of passwords as the sole factor. Weak password policies, including rotation and complexity requirements, often result in users choosing or reusing weak passwords. Following NIST guidelines and implementing multi-factor authentication can help mitigate this vulnerability.
Scenario 3: Improper Session Timeout: Improperly set session timeouts can lead to unauthorized access. For example, if a user accesses an application on a public computer and fails to log out properly, the session may remain active. An attacker who later uses the same browser can gain access without authentication. Proper session timeout configurations are essential to prevent such scenarios.