Skip to main content

Prevent authentication and session management attacks

Broken Authentication and Session Management could expose user data, such as credentials or critical private data. It could also allow for privilege escalation attacks.

Broken authentication and session management vulnerabilities

Exploiting a broken authentication, an attack is typically initiated by taking advantage of poorly managed credentials and login sessions to masquerade as authenticated users. This usually is related to a scenario as follows:

A session is a succession of events and transactions that are associated with the same user for a certain time frame. Once a user has logged on to a system, they are granted a unique Session ID (Cookies, URL Parameters, Authentication Tokens, etc.) that allows for communication between the user and web app for the valid session. Many developers fail to develop the right parameters for sessions, making it easier for hackers to hijack the session ID and gain unauthorized system access. Additionally, some developers fail to set time restrictions and session rotation plans, allowing attackers to impersonate users already logged in to the system.

With companies moving more of their sensitive and valuable data to the cloud, hackers are increasingly targeting web applications for their attacks. As a result, broken authentication and session management vulnerabilities were considered the Top 2 vulnerabilities on the OWASP list in 2017 since using valid user credentials is the easiest way for attackers to access off-limits systems.

Such attacks are also easier and more popular with modern attackers since the vulnerabilities are often neglected by software companies.

These malicious actors rely on a number of techniques to steal credentials, guess them, or deceive users into revealing them, including:

An attack is typically initiated by exploiting a broken authentication by taking advantage of poorly managed credentials and login sessions to masquerade as authenticated users. This usually is related to a scenario as follows:

A session is a succession of events and transactions associated with the same user for a specific time frame. Once a user has logged on to a system, they are granted a unique Session ID (Cookies, URL Parameters, Authentication Tokens, etc.) that allows communication between the user and web app for the valid session. Unfortunately, many developers fail to develop the correct session parameters, making it easier for hackers to hijack the session ID and gain unauthorized system access. Additionally, some developers fail to set time restrictions and session rotation plans, allowing attackers to impersonate users already logged in to the system.

With companies moving more sensitive and valuable data to the cloud, hackers increasingly target web applications for their attacks. As a result, broken authentication and session management vulnerabilities are considered the Top 2 vulnerabilities on the OWASP list since using a valid user credentials is the easiest way for attackers to access off-limits systems.

Such attacks are also more accessible and popular with modern attackers since software companies often neglect the vulnerabilities.

These malicious actors rely on several techniques to steal credentials, guess them, or deceive users into revealing them, including:

  • Phishing
  • Credential stuffing
  • Password spraying

Security assessment

SecurityAssessment_BrokenAuthentication

CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Best practices: Prevent broken authentication and session management attacks

While they are known and highly preventable, broken authentication and session management attacks are common due to software teams ignoring the vulnerabilities. There are also proven practices that organizations can use to reduce the chances of such attacks.

Following are some best practices and popular tools that can help an organization avoid susceptibility to session-management attacks.

Best practices to protect applications

While it is impractical to point out and remediate each instance of broken authentication vulnerabilities, the following minimum security measures form the foundation of successful session management:

Enable multi-factor authentication

Multi-Factor Authentication (MFA) makes it harder for malicious actors to access a system by adding at least one more layer of security to the authentication process. With MFA, security teams can enable users to register an item, such as a cellphone or biometric data, then combine it with the traditional login process for stronger security checks. With MFA, software organizations can bolster application security without impacting user experience.

Implement Strong Password Policies

It is important to select an Identity and Access (IAM) management solution that helps users easily create strong, unique, and effective passwords. These platforms automatically reject weak, common passwords and follow the NIST guidelines on creating passwords that are difficult to replicate. Most trusted IAM solutions also notify administrators when weak passwords have been compromised.

Utilize virtual private vetworks (VPNs)

VPNs greatly reduce the risk of credentials for your organization from being leaked to malicious actors by encrypting personal information, financial transactions, and web sessions. VPNs conceal the IP address of machines communicating in a session, reducing the likelihood of identity theft. With VPNs, even if hackers orchestrate a man-in-the-middle attack, it gets difficult for them to make sense of the message being transmitted.

Use a web application firewall (WAF)

A Web Application Firewall helps boost application security by identifying and blocking malicious IP addresses while also scanning web traffic for threats and vulnerabilities. WAFs are highly customizable, which allows teams to create site-specific rules for their applications. A WAF is typically deployed through a reverse proxy to inspect every packet to pinpoint harmful traffic that may compromise the system.

Limit failed login attempts

When implementing Brute-Force/Credential stuffing attacks, hackers are motivated by the fact that their attempts go undetected to attempt multiple logins. To mitigate such incidents, the Identity and Access management system must be configured to flag suspicious behavior and limit the number of login attempt(s).

Secure session access

Developers and security teams should tailor session length and parameters to the specific use case for the organization. A streaming video service, for instance, can have week-long sessions so that users do not have to pass authentication checks every time they log in. A banking app, on the other hand, should terminate its session immediately after a customer exits since they are more likely to be hijacked.

Session IDs should also be frequently rotated and invalidated to prevent session fixation for other users. They should not be exposed in the URL (e.g., allowing URL rewriting).