OWASP Top 10 #2 – Broken Authentication Session Management
Making the network secure can never get enough attention in today’s world. It’s of paramount importance, especially for people working in the field of information technology, to understand the various cyber-attacks possible on web applications and also to find out some possible prevention techniques. Some of the most common attacks include (but are not limited to) SQL injection, broken authentication and session management, cross-site request forgery, cross-site scripting, etc. The one attack that will be looked upon in detail in this article is broken authentication and session management.
Authentication and session management involves giving users specific accesses to data and managing sessions. Even though the importance of authentication should never be underestimated, faulty credential management can cause perfectly authenticated sessions to fail. This the reason why most of the account details management and update functions (forgotten password, password change, and profile update) need to be followed up immediately by re-authentication in order to ensure that the session ID is valid.
These types of attacks normally occur when the server side fails to manage the sessions astutely. For example, a user might have logged out from the website but, because their session was not destroyed at logout, a hacker was able to send in a faulty “change password” request. Here, if there is no re-authentication mechanism used by the developers, the hacker can change the password and proceed with exploiting the vulnerability.
Another easy way to perform the attack is by rewriting a very revealing URL to a website. Take for example:
If this link is shared with somebody by the user and if the session management is not performed flawlessly on the server side by making changes to the session ID above, the hacker can potentially view data that is not meant for them.
How to Minimize/Remove:
- Improve the session management mechanism. This will involve:
- Ensuring short idle and absolute timeouts.
- If a privileged state is to be stored, making sure that the device is trusted.
- Destruction of sessions after logout.
- Rotation of important session identifiers.
- Never allowing session rewriting.
- Logging all session failures.
- Never logging session identifiers.
- Ensure that there are no XSS flaws in the system. These flaws can lead to stealing of session identifiers.
The biggest danger posed by broken authentication and session management in enterprise solutions is that, once discovered by hackers, it can be the cause of many other lethal attacks. Simply put, when a hacker gets aware of the fact that he can trick the system into thinking that they are in fact an authenticated user at the time (and have an ongoing session), then the possibilities become endless for them.
One of the most important repercussion of broken authentication and/or session management can lead to invalidated redirects and forwards. Getting redirected and forwarded from one page to another is a fairly common thing on many websites. In such scenarios, if the destination page is retrieved or stored in an unauthorized parameter, bad things can happen; attackers can cause phishing attacks to redirect users to websites of their choice. Once again, this can occur if authenticated sessions are not timed (and managed) properly.
The simplest attack in this regard could be adding to a URL that contains the parameter that is supposed to redirect the user.
Consider the following URL: http://www.sample.com/redirect.php?url=mybadbadwebsite.com
Many websites still use this technique for redirection and, if the URL parameter is left unauthenticated, the user can in fact get redirected to the bad website.
Another problem can be caused by forwarding. Sometimes, the URL includes a parameter that indicates where the user should be routed upon successful completion of a transaction. If this parameter is changed, the attacker can go right through the access control checks of the applications and access administrative privileges, as in the following URL:
In both of the above cases, if the user session is managed properly via multi-level authentication techniques and rigorous session-timer implementation, the attempts will be rendered useless.
Some of the other ways to prevent such dangerous attacks are:
- The best and probably the least used way to avoid these issues is by completely forbidding the use of redirects and forwards.
- Another easy way to avoid this is by not using the user-submitted or changeable parameters to calculate the destination page.
- If you absolutely need to have the destination parameters in your URL, make sure that they are validated once they reach the back end of your application. This can be done by checking whether the requesting user is actually privileged enough to access the resources that they are asking to access.
Another attack that can occur as a result of poor authentication and session management is the security misconfiguration attack. This attack takes place when the developers falsely or loosely assemble the barriers protecting the safe havens of the web application. Sometimes database administrators or backend coders leave holes in the frameworks of the application and these holes are then exploited by the intruders. Through these holes, the hackers can get right into the system and compromise it, partially or even completely at times. If however, the authentication and/or session management schemes of the system weren’t broken, the second layer of the system could have remained protected.
There are a few specific reasons for these unauthorized accesses to take place. Here are a few:
- Out-of-date software, OS, web server, database management system or any code library.
- Any unused installed feature such as ports, web pages, or user accounts.
- Unaltered passwords of default accounts that were made for testing purposes.
- Disclosure of stack contents upon receiving an error or during error handling routines.
- Misconfiguration in MVC architectures/frameworks, such “Spring” and “Struts” that fail to secure values.
An example scenario in this regard is a vulnerability on a server where the visibility of the directory list is not set to “disabled,” which is the recommended practice. Through this list, the hacker can get a hold of any file by printing out the directory contents. Once they have all the compiled source files, they can reverse-engineer to get the original source code files. The hacker can then find any broken access control situation and exploit it. It should be noted here that a rigorous authentication and session management scheme would have made it impossible for the hacker to perform this.
More information on broken authentication and session management can be retrieved here.
No system can be categorically devoid of vulnerabilities that can be exploited by the sophisticated hackers of the modern world. However, with proper awareness of the most common cyber-attacks and implementation of defense measures, many undesirable events can be prevented. This article walked you through one of the most threatening attacks that can easily be prevented but it’s the need of the hour to be on an endless crusade to improve one’s security IQ. In this regard, the SecurityIQ solution by the INFOSEC institute is a tremendous way to learn all there is to know about cyber-security and how the most deadly attacks can be prevented.