OWASP Top 10 #2 - Broken Authentication Session Management
Making the network secure can never get enough attention in today’s world. It’s of paramount importance, especially for people working in the field of information technology, to understand the various cyber-attacks possible on web applications and also to find out some possible prevention techniques. Some of the most common attacks include (but are not limited to) SQL injection, broken authentication and session management, cross-site request forgery, cross-site scripting, etc. The one attack that will be looked upon in detail in this article is broken authentication and session management.
Authentication and session management involves giving users specific accesses to data and managing sessions. Even though the importance of authentication should never be underestimated, faulty credential management can cause perfectly authenticated sessions to fail. This the reason why most of the account details management and update functions (forgotten password, password change, and profile update) need to be followed up immediately by re-authentication in order to ensure that the session ID is valid.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
These types of attacks normally occur when the server side fails to manage the sessions astutely. For example, a user might have logged out from the website but, because their session was not destroyed at logout, a hacker was able to send in a faulty “change password” request. Here, if there is no re-authentication mechanism used by the developers, the hacker can change the password and proceed with exploiting the vulnerability.
Another easy way to perform the attack is by rewriting a very revealing URL to a website. Take for example:
http://hello.com/sale/saleitems?sessionid=26854454dsa1&dest=Marco
If this link is shared with somebody by the user and if the session management is not performed flawlessly on the server side by making changes to the session ID above, the hacker can potentially view data that is not meant for them.
How to Minimize/Remove:
- Improve the session management mechanism. This will involve:
- Ensuring short idle and absolute timeouts.
- If a privileged state is to be stored, making sure that the device is trusted.
- Destruction of sessions after logout.
- Rotation of important session identifiers.
- Never allowing session rewriting.
- Logging all session failures.
- Never logging session identifiers.
- Ensure that there are no XSS flaws in the system. These flaws can lead to stealing of session identifiers.
The biggest danger posed by broken authentication and session management in enterprise solutions is that, once discovered by hackers, it can be the cause of many other lethal attacks. Simply put, when a hacker gets aware of the fact that he can trick the system into thinking that they are in fact an authenticated user at the time (and have an ongoing session), then the possibilities become endless for them.
One of the most important repercussion of broken authentication and/or session management can lead to invalidated redirects and forwards. Getting redirected and forwarded from one page to another is a fairly common thing on many websites. In such scenarios, if the destination page is retrieved or stored in an unauthorized parameter, bad things can happen; attackers can cause phishing attacks to redirect users to websites of their choice. Once again, this can occur if authenticated sessions are not timed (and managed) properly.
The simplest attack in this regard could be adding to a URL that contains the parameter that is supposed to redirect the user.
Consider the following URL: http://www.sample.com/redirect.php?url=mybadbadwebsite.com
Many websites still use this technique for redirection and, if the URL parameter is left unauthenticated, the user can in fact get redirected to the bad website.
Another problem can be caused by forwarding. Sometimes, the URL includes a parameter that indicates where the user should be routed upon successful completion of a transaction. If this parameter is changed, the attacker can go right through the access control checks of the applications and access administrative privileges, as in the following URL:
http://www.sample.com/profile.php?fwd=adminprofile.php
In both of the above cases, if the user session is managed properly via multi-level authentication techniques and rigorous session-timer implementation, the attempts will be rendered useless.
Some of the other ways to prevent such dangerous attacks are:
- The best and probably the least used way to avoid these issues is by completely forbidding the use of redirects and forwards.
- Another easy way to avoid this is by not using the user-submitted or changeable parameters to calculate the destination page.
- If you absolutely need to have the destination parameters in your URL, make sure that they are validated once they reach the back end of your application. This can be done by checking whether the requesting user is actually privileged enough to access the resources that they are asking to access.
Another attack that can occur as a result of poor authentication and session management is the security misconfiguration attack. This attack takes place when the developers falsely or loosely assemble the barriers protecting the safe havens of the web application. Sometimes database administrators or backend coders leave holes in the frameworks of the application and these holes are then exploited by the intruders. Through these holes, the hackers can get right into the system and compromise it, partially or even completely at times. If however, the authentication and/or session management schemes of the system weren’t broken, the second layer of the system could have remained protected.
There are a few specific reasons for these unauthorized accesses to take place. Here are a few:
- Out-of-date software, OS, web server, database management system or any code library.
- Any unused installed feature such as ports, web pages, or user accounts.
- Unaltered passwords of default accounts that were made for testing purposes.
- Disclosure of stack contents upon receiving an error or during error handling routines.
- Misconfiguration in MVC architectures/frameworks, such “Spring” and “Struts” that fail to secure values.
An example scenario in this regard is a vulnerability on a server where the visibility of the directory list is not set to “disabled,” which is the recommended practice. Through this list, the hacker can get a hold of any file by printing out the directory contents. Once they have all the compiled source files, they can reverse-engineer to get the original source code files. The hacker can then find any broken access control situation and exploit it. It should be noted here that a rigorous authentication and session management scheme would have made it impossible for the hacker to perform this.
More information on broken authentication and session management can be retrieved here.
Phishing simulations & training
Final Word
No system can be categorically devoid of vulnerabilities that can be exploited by the sophisticated hackers of the modern world. However, with proper awareness of the most common cyber-attacks and implementation of defense measures, many undesirable events can be prevented. This article walked you through one of the most threatening attacks that can easily be prevented but it’s the need of the hour to be on an endless crusade to improve one’s security IQ. In this regard, the SecurityIQ solution by the INFOSEC institute is a tremendous way to learn all there is to know about cyber-security and how the most deadly attacks can be prevented.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- OWASP Top 10 #2 - Broken Authentication Session Management
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness