Understanding the OWASP: Broken Authentication & Session Management

At Appknox, our efforts have been towards educating our customers and other business owners too towards common threats that exist so that they can prepare themselves better. Hence, we started a series of articles based on the OWASP Top 10 Project which outlines the top 10 must commonly found and easily misused threats in mobile.

Last week we explained about Injection, which is the most exploited threat among the OWASP Top 10. Today, we discuss about the next one, i.e. Broken Authentication & Session Management.

What is OWASP Top 10?

OWASP Top 10 is a documented record which gets updated regularly in order to promote awareness among developers about web application security. It focuses on key areas which pose the maximum threat to web applications based on the consensus gathered from an international community of security experts. 

Commonly referred to as an 'awareness document', the OWASP Top 10 is praised by cybersecurity experts from all over the world. Most of them suggest that its recommendations should be incorporated into the organization's security strategy so as to stay safe from the prevailing security risks. 

What is a Broken Authentication and Session Management Attack?

In simple words, Broken Authentication and Session Management attacks are anonymous attacks with the intention to try and retrieve passwords, user account information, IDs and other details.

How Can This Affect You?

A simple example is the Starbucks hack that left millions of usernames and passwords exposed. We did a similar hack on Ola Cabs as well, a large cab aggregator company in India. We could thereby retrieve usernames and passwords of users and use their account to login to the app.

Are You Vulnerable to a Broken Authentication & Session Management Attack?

Basically, you are supposed to keep all your session and authentication related information protected.

You might be vulnerable if you meet one or more of the following conditions:

  • User authentication credentials aren’t protected when stored using hashing or encryption.
  • Account credentials are weakly managed, hence making it easy to guess or overwrite on on various account management functions (e.g., account creation, change password, recover password, weak session IDs).
  • Session IDs are exposed in the URL, do not have timeouts or authentication tokens are not properly invalidated during logout.
  • Passwords, session IDs, and other credentials are sent over unencrypted connections.

These are just some scenarios that we have commonly found. There are many other reasons why you might be vulnerable to this attack.


How Can You Prevent a Broken Authentication and Session Management Attack?

There are numerous things developers can do to help prevent these attacks some of which include session expiration, login expiration and other strategies that help safeguard the user. The reason why so many attacks occur is because most developers ignore these basic security measures.

Every organization should provide to developers a single set of strong authentication and session management controls. Also, a simple interface should be provided to developers to emulate and test different cases. To add to that, efforts should also be made to avoid XSS flaws which can be used to steal session IDs.

When it comes to preventing broken authentication and session management attacks, a number of simple but effective steps prove to be real handy. 

  • By using SSL Certificates:

In order to avoid session management attacks, the first step to consider is encrypting the data in transit using trusted SSL (Secure Socket Layer) certificates. This digital certificate will efficiently encrypt the data flowing between your browser and the server and prevent man-in-the-middle attacks. 

  • By using VPNs: 

Another way to effectively prevent session management attacks and broken authentication is to use VPNs (Virtual Private Networks). As VPNs allow users to transfer data over networks privately, they can prove to be very efficient in avoiding traditional security threats.

  • By using a Web Application Firewall (WAF): 

Web Application Firewalls are specially designed to filter all the incoming website traffic. As a result, it scans out all the malicious requests and effectively prevents hackers from infiltrating into your systems or forging session IDs. 

  • By using strong passwords: 

Last but not the least, using strong passwords come really handy while avoiding brute force attacks. It's always a good practice to use strong passwords using a mix of numbers, special characters and letters.  

Published on Jun 9, 2015
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now