Broken Authentication
Learn how broken authentication vulnerabilities can be exploited by attackers through bad session management, username enumeration, credential stuffing, brute force attacks, weak passwords, and more.
Overview
A broken authentication vulnerability can allow an attacker to gain control over accounts or even the entire system. It commonly occurs due to logic issues in the application authentication mechanism, such as bad session management or username enumeration. This vulnerability can be minimized by restricting public access to login pages for admins and implementing strong authentication processes.
Description
Broken authentication refers to logic issues in the application authentication mechanism that can be exploited by attackers. One common example is bad session management, which can allow for username enumeration or brute-force attacks. Another common form is allowing users to attempt multiple username/password combinations against login pages. OWASP defines various types of broken authentication vulnerabilities, including automated attacks like credential stuffing and brute force attacks, usage of default or weak passwords, weak credential recovery processes, plain text or weakly hashed passwords, missing or ineffective multi-factor authentication, and session ID vulnerabilities.
How to Prevent ?
To prevent broken authentication vulnerabilities, it is crucial to follow best practices and support developers in implementing proper security measures. Some recommendations from OWASP include implementing multi-factor authentication, avoiding default credentials, enforcing strong password policies, hardening registration and credential recovery processes, limiting failed login attempts, logging failures and detecting attacks, using secure session management, ensuring session IDs are not exposed in URLs, and securely storing and invalidating session IDs after logout, idle, and absolute timeouts.
Example Attack Scenarios:
Credential Stuffing Attack: An attacker obtains a list of username and password combinations from a data breach on another website. They then use an automated script to attempt these combinations on the target website, taking advantage of weak or reused credentials. With successful logins, the attacker gains unauthorized access to user accounts, potentially leading to identity theft, unauthorized transactions, or further system compromise.
Brute Force Attack: An attacker uses an automated script to systematically guess username and password combinations on the login page of a target website. They try various combinations of common usernames and passwords, hoping to find a match. If the website does not have adequate protections or rate limiting mechanisms, the attacker may eventually guess a valid combination and gain unauthorized access to the system.
Session ID Exposure: A website generates session IDs and includes them in URLs for authentication purposes. An attacker intercepts this URL containing the session ID and obtains unauthorized access to the user's session. This allows the attacker to impersonate the user, perform actions on their behalf, or gain access to sensitive information. Session IDs should be securely stored, not exposed in URLs, and invalidated after logout or a period of inactivity.