As we are covering OWASP top 10 vulnerabilities,broken
authentication is one of it. Broken Authentication itself suggests the
breach in the authentication procedure of a web application. Session
management is the rule which checks for the interactions amid a web
application and end-users. A web session is actually a transactional
chain of HTTP commands and responses made by the client to a server.
HTTP/HTTPS is the protocol to communicate between the website and the
browser.
So, in broken authentication, hackers
find the exposures where the breach could be done to dodge or seize the
authentication functions.
Following are the ways where the authentication breach could happen –
- Probable login credentials.
- Exposed session IDs in the URL (e.g., URL rewriting).
- Vulnerable session IDs to fixation attacks.
- Unprotected user authentication credentials.
- Session IDs, passwords, and other identifications sent over unprotected and unencrypted connections.
- Non-rotated or Unshuffled session IDs after successful login.
- Undestroyed or not invalidated session values after logout.
Such attacks aim to get access to more
than one account and gain all the privileges of the user which is
attacked. These privileges let the attacker do whatever he wants.
No comments:
Post a Comment