At Appknox, our efforts have been towards educating our customers and other business owners too towards common threats that exist so that they can prepare themselves better. Hence, we started a series of articles based on the OWASP Top 10 Project which outlines the top 10 must commonly found and easily misused threats in mobile.
What is a Broken Authentication and Session Management Attack?
In simple words, Broken Authentication and Session Management attacks are anonymous attacks with the intention to try and retrieve passwords, user account information, IDs and other details.
How Can This Affect You?
A simple example is the Starbucks hack that left millions of usernames and passwords exposed. We did a similar hack on Ola Cabs as well, a large cab aggregator company in India. We could thereby retrieve usernames and passwords of users and use their account to login to the app.
Are You Vulnerable to a Broken Authentication & Session Management Attack?
Basically, you are supposed to keep all your session and authentication related information protected.
You might be vulnerable if you meet one or more of the following conditions:
- User authentication credentials aren’t protected when stored using hashing or encryption.
- Account credentials are weakly managed, hence making it easy to guess or overwrite on on various account management functions (e.g., account creation, change password, recover password, weak session IDs).
- Session IDs are exposed in the URL, do not have timeouts or authentication tokens are not properly invalidated during logout.
- Passwords, session IDs, and other credentials are sent over unencrypted connections.
These are just some scenarios that we have commonly found. There are many other reasons why you might be vulnerable to this attack.
How Can You Prevent a Broken Authentication and Session Management Attack?
There are numerous things developers can do to help prevent these attacks some of which include session expiration, login expiration and other strategies that help safeguard the user. The reason why so many attacks occur is because most developers ignore these basic security measures.
Every organization should provide to developers a single set of strong authentication and session management controls. Also, a simple interface should be provided to developers to emulate and test different cases. To add to that, efforts should also be made to avoid XSS flaws which can be used to steal session IDs.
We'll discuss more about XSS flaws in our next article as a part of this series.