About
Seventh most critical vulnerability on OWASP Top 10 list.
Last updated
Seventh most critical vulnerability on OWASP Top 10 list.
Last updated
Identification and Authentication failures known as Broken authentication are the seventh most critical vulnerability in OWASP Top 10 list. Simply said, it allows an attacker to steal a user's login data, or forge session data (such as cookies), to gain unauthorized access to the website.
Many websites require users to log in to access their accounts, make a purchase, etc. Commonly this is done by using a username and password. With this info, a site will assign and send each logged in visitor a unique session ID that serves as a key to the users' identity on the server. The visitors' device then applies the session ID as a key to their identity for the rest of their login session.
User authentication[1] – the process of ensuring only authorized users have access to controlled data and functionality – is the fundamental base of web and application security. If the login functionality of an application can be subverted, captured, or bypassed in some way, this is referred to as broken authentication.
This vulnerability covers any weaknesses in the authentication/session management methodology. Attackers can exploit it by using automated tools with password lists and dictionary attacks. Attacks aim to take over one or more accounts in the system, giving the intruder the same privileges as the attacked user or, in the worst case, full control of the system. This can result in an attacker impersonating a valid user, giving them access to an account and/or data that they otherwise shouldn’t be authorized to view.
Broken authentication typically occurs due to the issues with the applications’ authentication mechanism caused by improper implementation of authentication and session management functions. The matters that lead to authentication mechanisms breaking or being bypassed range from simple to highly technical. However, these vulnerabilities are preventable with good practice and by incorporating security thinking into design processes.
[1] Note: Authentication is not the same as authorization!
Due to the design and implementation of identity and access controls, the prevalence of broken authentication is widespread. It is not one technical bug, but a collection of it, with which an attacker can bypass the authentication.
The manual penetration testing method is used to check the vulnerability of web applications.
There are a variety of common contributing risk factors, such as:
predictable login credentials allowing default, weak or well-known passwords (e.g., admin/admin or Password1);
inadequate or insufficient credential recovery and forgot-password processes, such as »knowledge-based answers«;
user authentication credentials that are not protected when stored;
sessions remain active for too long or do not correctly time out or invalidate session IDs after logout;
session IDs exposed in the URL (e.g., URL rewriting);
session IDs vulnerable to session fixation attacks;
does not rotate Session IDs after successful login;
passwords, session IDs, and other credentials sent over unencrypted connections;
has missing or ineffective multi-factor authentication;
giving different responses (e.g., the user doesn't exist);
failure to deny automated attacks (e.g., brute-forcing, credential stuffing);
etc.
The impact of broken authentication is bypassing authentication.
Severity depends on what kind of account is compromised (admin/basic user), what actions the user can perform, and what sensitive data is accessible. Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may result in identity theft, social security fraud, disclosure of legally protected highly sensitive information, or money laundering
Sector | Frequency | Percent |
Public Sector | 108 | 72% |
Private Sector | 42 | 28% |
Total number of tests | 150 | 100% |
Table 1: frequency analysis of sector-wise exploitation.
Reference here.
There are clear and easy solutions to prevent your site from being affected by this vulnerability. Incorporating security thinking into your development and application configuration processes is vital. The following techniques are recommended:
Where possible, implement multi-factor authentication[1] to prevent automated, credential stuffing, brute force, and stolen sessions reuse attacks. Plus, avoid designing your authentication. There are widely used libraries and third-party services that will probably offer better authentication.
Do not ship or deploy with any default credentials, particularly for admin users; and store passwords in encoded form (e.g., bcrypt, Scrypt, or Argon2 hashing algorithms).
Make sure you understand user-profiles and make consistent decisions about which profiles should be able to access which things. When designating user permissions, only provide administrator-level grants to users that explicitly require them.
Ensure users have sufficiently-strong passwords by implementing validation on password creation and therefore preventing weak and default passwords. Minimum password length required special characters, and weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords, are a great way to increase protection. Align password length, complexity, and rotation policies by following NIST 800-63 B's guidelines or other modern, evidence-based password policies.
Implement Strong Credential Recovery Process: we should ensure user registration, credential recovery, and API pathways are strengthened against account enumeration attacks[2] by using the same messages for all outcomes.
Limit or increasingly delay failed login attempts, log all failures, and alert administrators when credential stuffing, brute force, or other attacks are detected. These types of attacks can be prevented with Account Lockout after a defined number of incorrect password attempts and CAPTCHA.[3]
Provide only one login point for users. The more entry points application has, the more difficult it is to secure.
Use best practices for Session Management: use a server-side, secure, built-in session manager that generates a new random and unpredictable session ID with high entropy every time after login. Session IDs should be securely stored and invalidated after logout, idle, and absolute timeouts, and they should not be in the URL.
To prevent man-in-the-middle type attacks on your site’s sessions, it is important to encrypt data in transit using an SSL certificate.[4]
For sensitive data and admin users, allow accessing resources through a VPN (a virtual private network), which enables users to send and receive data across shared or public networks privately.
Implement a web application firewall (WAF), designed to scan and filter all incoming traffic to a website.
Blacklist IPs with detected suspicious activity.
Use the Have I Been Pwned (HIBP) API to identify and reject any submitted username/password combinations that have been identified in data breaches, and regularly obtained passwords in such breaches.
[1] Multi-factor authentication is a security system that requires more than one method of authentication from independent categories of credentials to verify the users' identity for a login or other transaction. However, even the two-factor authentication can be bypassed (more about it: https://www.pandasecurity.com/mediacenter/security/two-factor-authentication/).
[2] User enumeration attack is a process of checking a list of usernames against an application to check for the valid ones. If the application delivers different messages or URLs for different cases (such as when username does not exist and when username exists, but the password is wrong), it becomes vulnerable to account enumeration attacks.
[3] CAPTCHA is a program that allows us to distinguish between humans and computers by presenting some tests that are difficult for computers to pass.
[4] SSL (secure socket layer) is a digital certificate that encrypts information sent between a web server and a web browser.
There are numerous approaches to bypass authentication. The five most prevalent types of Broken Authentication & Session Management exploitation techniques are addressed below.
a) Session Misconfiguration Attack
Session misconfiguration is one of the most critical areas for Broken Authentication vulnerability. Session duration is one of the most significant factors in sustaining a secure authentication process. Suppose the developer sets the session duration parameter with a large span. In that case, the session will remain active for that specific period if the user did not log off their account as instructed. Hence, that session can be re-established to re-using by an attacker, which leads to Broken Authentication.
b) Using Cracking/ Guessing Weak Password Exploitation
Due to a lack of awareness about password management, some users keep their password in default or generalized form (e.g., admin, password, password123, admin1997, etc.). These are easy to guess, causing an attacker to get access to the system with an automated process of cracking/guessing weak passwords of users. With credential stuffing, an attacker can automatically inject breached username/password pairs into a website to gain control over accounts. With brute-force attack, an activity which involves continuous attempts of trying various password combinations to break into a website, attackers submit multiple passwords or passphrases into the website. They can automate this process and systematically check all potential passwords and passphrases until they find the right one.
c) Exploiting Authentication problem
If conditional queries to check usernames and passwords against the user become are not accurately handled, they could be compromised by an intruder to get access to the system without proper authentication.
d) Decoding Inadequate Encryption
If privacy measures are not properly handled, an attacker can steal the session ID by exploiting security flaws in disclosing the session ID in the URL of the system. If attackers get a valid session ID, they can use that to get into the system.
e) Other Vulnerabilities
Forgotten password functionally, relying on IP address for session, emailing user credentials, not authenticating a user before changing password, and not having adequate timeouts for inactive sessions are further common reasons for Broken Authentication.
Department of Revenue Hack: Hacker was reported to have stolen 387,999 credit card numbers and 3.6 million Social Security numbers from the South Carolina Department of Revenue. The first breach in 2012 emerged from the default password set in the authentication layer. Besides, lack of encryption on some sensitive data fields, including the social security numbers, increased the impact of this incident. The IRS was hacked again in 2015, exposing people’s social security numbers, addresses, incomes to more than 700,000 people. This information was then further used to get transcripts of victims, resulting in more exposed data. Even though in the first instance credit card data was encrypted, social security numbers and other personally identifiable data were not. The direct consequence of this incident was the exposure to identity fraud.
In 2015, Pakistani hackers defaced more than 180 web sites of Bangladesh for having issues of the Broken Authentication. Percentages of vulnerability exploitations by the Pakistani hackers were 63% of Broken Authentication vulnerability, SQL injection in 26% sites, and other exploitations conducted on 11% of the web applicants.
Uber failed to rate-limit the https://biz.uber.com/confirm endpoint, which would allow an attacker to brute-force business accounts and take rides on behalf of them. Again in 2017, a hacker discovered a bug that permitted anyone with an email account (and the skills) to reset other people's passwords.
In July 2018, the health and fitness app 8fit experienced a data breach. In February 2019, the data subsequently appeared for sale on a dark web marketplace and included over 15M unique email addresses alongside names, genders, IP addresses, and passwords stored as bcrypt hashes.
In 2018, Chegg, Dubsmash, EyeEm, Houzz, MyFitnessPal also suffered a data breach, that affected millions of users.
____________________________________________________________________________________________
References:
[1] OWASP
[2] immuniweb
[3] sitelock
[4] Broken Authentication and Session Management Vulnerability: A Case Study Of Web Application
[5] code-maze
[6] hdivsecurity
[7] kiuwan
[8] cyberops
