Broken Authentication & Session Management
What is Authentication?
Authentication means, you need to prove, who you say you are by something you know or something you have. For instance, you login with your email/username and password; that's someone you claim to be and something you know. Modern applications use something known as multi-factor authentication (Example: OTP); That's something you have. Now all of these combined together are what we know as "Authentication Mechanism".
Username: xxxx@example.com // Someone you are Password: xxxxxxxxxxxx // Something you know Enter OTP: 657882 // Something you have
What is a session?
It is a temporary time period for interaction between two or more communication devices denoted by a unique session ID or token. It is temporary because it is valid only until the devices are communicating. It is brought down to an end after a period of time.
During this time, devices interact with a sequence of HTTP requests and responses. A web application may create a session before and after the user is authenticated. In order to maintain track/state of the user, these sessions use variables like: access rights, local settings, which it uses during the entire time duration of the session. Keeping variables in a session can help to identify user on every request and also to apply some security mechanisms like- Access control, Authorization.
Why Session Management?
Since HTTP is a stateless protocol, it does not store any information about the user/device. Hence, no authorization checks, no access control. Therefore, in order to bind all these together in a session, implementing session management is a must.
It's up to the developer of the application, who decides the secure implementation of session management.
How to identify broken authentication and session management?
There are several ways a developer designs authentication and session management of an application. But when thinking of security. It's all about these three things- Confidentiality, Integrity, availability. Security vulnerability arises when any of the three is compromised.
Some common examples of broken authentication and session management arise when:
- User is permitted to brute force usernames and passwords. Allowing brute-forcing or unlimited attempts to enter credentials can lead to the automated dictionary, rainbow table attacks. These contain a list of valid credentials and salt values which are sent and verified one by one to the server. Fix: Securely implementing a Captcha or rate limit and log every failed attempt.
- Using weak hashes to store user credentials. If the credentials are hashed or encrypted with a weak algorithm. It is very easy for an attacker to decrypt it and find the original value. FIX: Use a strong hashing algorithm and add salt values to it.
- No or inefficient multi-factor authentication. Even though implementing MFA is a good practice, implementing it securely is very essential. Most of the time, MFA is bypassed due to misconfiguration.
- Session ID's are visible in the URL: Session ID's in the URL can be very dangerous to an authentication system. If the URL is sent to someone, the active session ID is also sent along with it. It can lead to the recipient/attacker having access to a valid session.
https://www.example.com/user/account?user_token=AJD62621AdADFTHXXXX?lang=en
- A session ID is not terminated after a period of inactivity, logout, password change or any other authentication-related action of the user: Sessions can be restored by an attacker if the session ID is not invalidated correctly leading to session hijacking.
- Allowing weak password for accounts: Use a strong password enforcing mechanism with password length more than 30. It is very hard to crack even by the strongest computing machine.
Username: John
Password: John123
Conclusion:
There are a lot of methods to do authentication and to maintain a session. No mechanism is ever 100% secure but it is important to follow the best practices where-ever possible.
This vulnerability is found on approximately 40% of the web-applications online today.
Cheers!
