{"id":10112,"date":"2019-02-06T07:34:34","date_gmt":"2019-02-06T07:34:34","guid":{"rendered":"http:\/\/www.esds.co.in\/blog\/?p=10112"},"modified":"2020-01-07T06:24:19","modified_gmt":"2020-01-07T06:24:19","slug":"what-do-you-know-about-broken-authentication-and-session-breach","status":"publish","type":"post","link":"https:\/\/www.esds.co.in\/blog\/what-do-you-know-about-broken-authentication-and-session-breach\/","title":{"rendered":"WHAT DO YOU KNOW ABOUT BROKEN AUTHENTICATION AND SESSION BREACH?"},"content":{"rendered":"\n<p style=\"text-align: justify;\">As we are covering <strong>OWASP top 10 vulnerabilities<\/strong>,broken authentication is one of it. Broken Authentication itself suggests the breach in the authentication procedure of a web application. Session management is the rule which checks for the interactions amid a web application and end-users. A web session is actually a transactional chain of HTTP commands and responses made by the client to a server. HTTP\/HTTPS is the protocol to communicate between the website and the browser.<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esds.co.in\/blog\/what-do-you-know-about-broken-authentication-and-session-breach\/#TIPS_TO_PREVENT_BROKEN_AUTHENTICATION_AND_SESSION_BREACHES\" >TIPS TO PREVENT BROKEN AUTHENTICATION AND SESSION BREACHES<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esds.co.in\/blog\/what-do-you-know-about-broken-authentication-and-session-breach\/#MANAGING_SESSIONS\" >MANAGING SESSIONS<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/mtvscan.com\/blog\/wp-content\/uploads\/2019\/02\/642483-636548943784221705-16x9-1.jpg\" alt=\"\" class=\"wp-image-364\"\/><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify;\">So, in broken authentication, hackers find the exposures where the breach could be done to dodge or seize the authentication functions.<\/p>\n\n\n\n<p><em>Following are the ways where the authentication breach could happen \u2013<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Probable login credentials.<\/li><li>Exposed session IDs in the URL (e.g., URL rewriting).<\/li><li>Vulnerable session IDs to fixation attacks.<\/li><li>Unprotected user authentication credentials.<\/li><li>Session IDs, passwords, and other identifications sent over unprotected and unencrypted connections.<\/li><li>Non-rotated or Unshuffled session IDs after successful login.<\/li><li>Undestroyed or not invalidated session values after logout.<\/li><\/ul>\n\n\n\n<p style=\"text-align: justify;\">Such attacks aim to get access to more than one account and gain all the privileges of the user which is attacked. These privileges let the attacker do whatever he wants.<\/p>\n\n\n\n<p> EXAMPLES OF AUTHENTICATION AND SESSION BREACHES <\/p>\n\n\n\n<p><strong>Example #1: Probable login credentials<\/strong><\/p>\n\n\n\n<p style=\"text-align: justify;\">It is a matter of common sense that you should not keep the values of usernames and passwords so easy that everyone can predict them. The credentials should not be the ones which are used very frequently. Attackers can get a hold of this with ease. You should always use strong credentials.<\/p>\n\n\n\n<p><strong>Example #2: URL rewriting in exposed sessions<\/strong><\/p>\n\n\n\n<p style=\"text-align: justify;\">Consider a web application via which you book your travel reservations. The sites where we enter our personal data are easy targets of URL rewriting because the attacker can get data by putting session IDs in URLs. <em>Check this \u2013<\/em><\/p>\n\n\n\n<p><a href=\"http:\/\/travelsite.com\/ticketbooking\/premium_ticket;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=hyderabad\">http:\/\/travelsite.com\/ticketbooking\/premium_ticket;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=hyderabad<\/a><\/p>\n\n\n\n<p style=\"text-align: justify;\">The authenticated user of this site is booking a ticket. This user wants to let his friends know about the ticket confirmation, so he sends this link. He doesn\u2019t realise that he is also sending his session ID. When those friends use the same link, they can use his session as well as credit card.<\/p>\n\n\n\n<p><strong>Example #3: Non-hashed and Non-salted passwords<\/strong><\/p>\n\n\n\n<p style=\"text-align: justify;\">Sometimes, passwords are improperly hashed and salted which leaves a room for attackers to scrape them by gaining access to the database. Proper encryption along with adding salt to hashed passwords is an essential matter, else every user\u2019s credentials will be at stake.<\/p>\n\n\n\n<p><strong>Example #4: Not setting application\u2019s timeout properly<\/strong><\/p>\n\n\n\n<p style=\"text-align: justify;\">Consider that you access a public computer or an internet caf\u00e9 or that of a friend\/colleague for accessing a website or doing a transaction. After finishing up, you forget to click on the logout button and directly close the browser. The attacker can use the same browser after some time, and he gets what? An authenticated account with all the details! Even he can check it from the past sessions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"TIPS_TO_PREVENT_BROKEN_AUTHENTICATION_AND_SESSION_BREACHES\"><\/span>TIPS TO PREVENT BROKEN AUTHENTICATION AND SESSION BREACHES<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>The complexity of passwords \u2013 This is a no-brainer that passwords \nshould always be a combination of alphanumeric and special characters. \nYou should essentially put a complex password.<\/li><li>Length of passwords \u2013 The minimum length of a password should be at \nleast having eight (8) characters. The complexity and length of a \npassword go hand-in-hand. Together, they make a robust password.<\/li><li>Preventing the login with brute force\u2013 The web application must have\n a code mechanism which disables the user account when there is a set of\n invalid login trials, like three or five. After the set number of login\n attempts, the user account shall be deactivated for a reasonable period\n of time.<\/li><li>Enumerating username and password \u2013 If authentication fails the \ngeneric responses should be mentioned instead of specifying what exactly\n is wrong. Though this might hamper the usability factor for the user, \nit can safeguard from the attacks.<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MANAGING_SESSIONS\"><\/span>MANAGING SESSIONS<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Don\u2019t show session ID in the URL \u2013 The session IDs should be kept \nhidden and not shown in the URL, else it can cause URL rewriting.<\/li><li>Protect the credentials \u2013 The authentication credentials of users \nshould be encrypted and while storing, the process of salting and should\n be done.<\/li><li>Renew session IDs \u2013 The session IDs should be renewed after successful login.<\/li><li>Destroy session IDs after the timeout \u2013 The authentication tokens or\n the sessions should be destroyed entirely after logging out.<\/li><li>Beware of unencrypted networks \u2013 Sensitive data like session IDs, \npasswords, and similar credentials should not be used over unsafe and \nunencrypted networks\/connections.<\/li><\/ul>\n\n\n\n<p style=\"text-align: justify;\">If you wish to stay protected from such type of brutal attacks, <a href=\"https:\/\/esds.co.in\/security\/vtmscan\"><strong>ESDS VTMScan<\/strong><\/a> is one of the best tools available as a web application scanner.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As we are covering OWASP top 10 vulnerabilities,broken authentication is one of it. Broken Authentication itself suggests the breach in the authentication procedure of a web application. Session management is the rule which checks for the interactions amid a web application and end-users. A web session is actually a transactional chain of HTTP commands and&#8230; <\/p>\n<div class=\"clear\"><\/div>\n<p><a href=\"https:\/\/www.esds.co.in\/blog\/what-do-you-know-about-broken-authentication-and-session-breach\/\" class=\"gdlr-button small excerpt-read-more\">Read More<\/a><\/p>\n","protected":false},"author":81,"featured_media":10125,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1271],"tags":[1907,1943,1910,1911,1945,1944],"class_list":["post-10112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-2","tag-cyber-attacks","tag-esds-vtmscan-vulnerability-scanner","tag-features-of-esds-vtmscan","tag-freescan-owasp-audit","tag-phishing-attacks","tag-website-secure"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/users\/81"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/comments?post=10112"}],"version-history":[{"count":2,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10112\/revisions"}],"predecessor-version":[{"id":11124,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/posts\/10112\/revisions\/11124"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media\/10125"}],"wp:attachment":[{"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/media?parent=10112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/categories?post=10112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esds.co.in\/blog\/wp-json\/wp\/v2\/tags?post=10112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}