Hey everybody Demeter here with another OWASPTop10 and today we're gonna talk about broken authentication, in the OWASP top 10 list 2020 - broken authentication was actually the number two vulnerability listed on that.
What is broken authentication?
The essence of broken authentication is where you allow a users or a bad guy user to get into your web application without the proper credentials.
Let's say you have a user on the internet and he wants to come in and access your web application and in your web application you have a username and a password that you use to access your web application, so the user would enter his username and his password and if it's good then it gets in if it's not then he then he doesn't get in.
Well these username and password are stored in database as the user accesses the web application and login, the web app gonna make a call back to this back-end database and if this authentication is successful then the user get a session ID.
Okay that's important because that's going to come in this broken authentication discussion, what could happen here is if you have not built your web application properly then a bad guy could come in and do several nefarious things to try to get access into this web application.
let's say that you're a user and you're at a public place and you type in username and password to your web application and you gain authentication, then you do your thing and then you close out your tab and but maybe you don't close out the browser completely and that session ID has been saved on the browser and even though it's been let's say 10 minutes or whatever that session ID is still stored and if you access that same web application and gain access based on the stored session ID.
So all of this falls under the umbrella of broken authentication because we're allowing our web application with all these different attacks to allow a bad guys to access into our web application.
BROKEN AUTHENTICATION EXAMPLES
Credential stuffing: Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. Billions of credentials have been stolen in recent years. These credentials are now fueling the hackers to exploit user's personal information.Passwords are not properly hashed and salted: For security reasons, you may want to store passwords in hashed form. This guards against the possibility that someone who gains unauthorized access to the database can retrieve the passwords of every user in the system.
Application session timeouts aren't set properly: A user uses a public computer to access an application. Instead of logout, the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.
How to prevent Broken Authentication
- Set a Password policy for users
- Don't store user creds in plain-text
- Make sure to set Time-out in Session Value
- Don't exposed Session IDs in the URL or you will be vulnerable to session fixation attacks
- Don't sent Passwords, session IDs, and other credentials over unencrypted connections
- Always use HTTPS
- Use Multi-Factor Authentication or some type of Token
- Set Failed-Login Limit
- You can also put a Web Application Firewall
So anyway this is kind of the idea of broken authentication, if your web application allows for a lot of these attacks to come in and if these would be successful then hey you're probably not set up the way that you need to be.
Well but the bottom line is whenever you design and build your web application with all these different components that are part of it then you need to do it correctly.
So be careful out there with broken authentication, it's a huge attack - huge vulnerability that's exploited all the time these days.
0 Comments