As we are covering OWASP top 10 vulnerabilities,broken authentication is one of it. Broken Authentication itself suggests the breach in the authentication procedure of a web application. Session management is the rule which checks for the interactions amid a web application and end-users. A web session is actually a transactional chain of HTTP commands and responses made by the client to a server. HTTP/HTTPS is the protocol to communicate between the website and the browser.
So, in broken authentication, hackers find the exposures where the breach could be done to dodge or seize the authentication functions.
Following are the ways where the authentication breach could happen –
- Probable login credentials.
- Exposed session IDs in the URL (e.g., URL rewriting).
- Vulnerable session IDs to fixation attacks.
- Unprotected user authentication credentials.
- Session IDs, passwords, and other identifications sent over unprotected and unencrypted connections.
- Non-rotated or Unshuffled session IDs after successful login.
- Undestroyed or not invalidated session values after logout.
Such attacks aim to get access to more than one account and gain all the privileges of the user which is attacked. These privileges let the attacker do whatever he wants.
EXAMPLES OF AUTHENTICATION AND SESSION BREACHES
Example #1: Probable login credentials
It is a matter of common sense that you should not keep the values of usernames and passwords so easy that everyone can predict them. The credentials should not be the ones which are used very frequently. Attackers can get a hold of this with ease. You should always use strong credentials.
No comments:
Post a Comment