2017 OWASP A2 Update: Broken Authentication
Broken authentication is a significant security issue and should be fixed as soon as possible. Despite being widely documented for years, it still holds the second position in OWASP’s 2017 list of the top 10 most critical web application security risks.
The OWASP (Open Web Application Security Project) is an open community dedicated to helping organizations develop, purchase and maintain trusted applications and APIs. Since 2004, it reports the most critical risks affecting web applications — broken authentication first appeared on its 2004 list and remains there today.
What is Broken Authentication?
Broken authentication happens mostly due to poor implementation of application functions related to authentication and session management, thus allowing attackers to compromise passwords, keys or session tokens, even going so far as to exploit other implementation flaws to assume users’ identities temporarily or permanently.
Broken Authentication Attack Types
This sort of attack is quite easy to execute, as cybercriminals can employ several techniques, such as variations of brute force attacks including dictionary-based attacks or even credential stuffing (the automated injection of previously breached/publicly available username/password pairs, not necessarily related to the current target, in order to fraudulently gain access to user accounts). Similarly, attackers also make use of automation tools to try guessing default admin passwords.
Another way of exploiting broken authentication is using session management attacks. Since HTTP is a stateless protocol (i.e., web servers respond to client requests without linking them to each other) it requires a third party solution to handle session management. This sort of attack essentially exploits the mechanism by which it controls and maintains the state for a user interacting with it.
A simple example is the case of unexpired session token vulnerability. For instance, if a user accessing an application simply closes the browser, the session may not expire. This would allow an unauthorized party to use the same computer/browser to access the web application, since the original user is still authenticated.
The prevalence of broken authentication is widespread, Therefore, it is important to take into consideration detecting and exploiting it, either through manual means or automated tools (such as working with password lists and dictionary attacks), may not require advanced technical expertise. That was the case with Aerticket, a Berlin-based airline ticket wholesaler that exposed millions of passengers’ data, including names, credit card numbers and flight data.
The broken authentication vulnerability was found in an email sent to clients with a link to retrieve and download a passenger itinerary receipt. This link ended with an eight-digit number and, since the documents were not protected, simply changing the numbers would give access to other travelers’ tickets, invoices, routes and credit card numbers. Since this flaw has existed since 2011, in theory it could have exposed data from 1.5 million bookings made over the years.
The impact of a broken authentication is directly linked to the context of the affected application, what information it stores and whether the attackers gained access to only a few accounts or admin level access that would compromise the whole system. Depending on the nature of the incident, this could form the basis for cases such as money laundering, social security fraud and identity theft, or disclose legally protected and highly sensitive information.
How Can I Prevent or Fix Broken Authentication?
The first step to solving this issue is confirming an application is actually vulnerable. Using proper security controls that ensure user identity, authentication and session management are critical protections against authentication-related attacks.
For instance, applications should be checked for:
- Lacking protection against brute force attacks (i.e., temporarily blocking an IP that originated a high number of authentication errors in a brief period)
- Poor password policy, allowing weak or well-known passwords and the usage of default admin credentials (i.e., admin/admin or manager/manager)
- An unsecure password recovery process, such as using publicly available information (i.e., home address, date of birth or guessable answers) to confirm user identity
- No use of multi-factor authentication (MFA)
- Exposure of session IDs in the URL (i.e., URL rewriting)
- Not rotating a session ID after a successful login
- Poor session management (i.e., not invalidating sessions IDs or authentications tokens during logout or a after period of inactivity)
Fixing the broken authentication issue is not hard. Starting with the basics, no application should go into a live environment without changing every default password. Another great option is adopting multi-factor authentication; this helps prevent authentication-related attacks, including brute force, credential stuffing or the use of stolen credentials.
Having a good password policy in effect is also important, as this allows for defining an adequate level of password complexity and also the implementation of a regular password rotation. This would help with brute force attacks, and may also prevent the use of stolen credentials.
Password guessing attacks may also be prevented by limiting, blocking or increasingly delaying an originating IP after failed login attempts. Whenever possible, failed login attempts should be logged and, depending on the number of tries by the same origin, administrators should be alerted to take further action.
As pointed out before, proper session management is also very important to avoid broken authentication problems. The best option is using a server-side, secure, built-in session manager that generates a new randomized session ID with high entropy after login. Also, it is important to remember session IDs should never be displayed in the URL; instead, they should be securely stored and invalidated after a user logout (based on an idle timeout).
User identity and authentication are amongst the most basic security concepts that hackers and cybercriminals have continuously tried (often successfully) to abuse. A broken authentication is easy to identify and, with the combination of security-unaware developers and the widespread availability of automated tools, quite simple to exploit. In other words, this issue cannot be ignored when the goal is having a secure web application. There are several options for dealing with authentication-related attacks, from basic security controls such as password policy and account/IP lockout, to advanced solutions such as MFA and session management controls.
One essential protective step is having professionals with responsibilities, such as developing, administering or securing web applications, aware of critical risks. That is where InfoSec Institute can help. Their two-day OWASP Top Ten course offers a balanced mix of attention-getting lectures and hands-on secure coding activities. This Boot Camp training was designed with the sole objective of providing an overview of the ten most critical web application security risks as defined by OWASP. Click the link above to see if the class is right for you.
Millions of German airline passengers’ data exposed to security gaps for years