Did you know a whopping 113 million websites contain a security vulnerability? That’s approximately six percent of all websites globally. A website vulnerability is a weakness in website code that cybercriminals can exploit to gain unauthorized access to a site—and a mere one vulnerability has the power to impact over 1,000 pages on a single website.

Let’s talk about one of the most common types of vulnerabilities on the OWASP Top 10: broken authentication & session management. Simply stated, broken authentication & session management allows a cybercriminal to steal a user’s login data, or forge session data, such as cookies, to gain unauthorized access to websites.

What is the OWASP Top 10?

The OWASP Top 10, short for Open Web Application Security Project, is a list of the 10 most dangerous Web application security flaws today (including broken authentication & session management). According to owasp.org, its purpose is to drive visibility and evolution in the safety and security of the world’s software.

What is broken authentication & session management?

Many websites require users to login to access their accounts, make a purchase, etc. More often than not, this is done using a username and password. With this info, a site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server.

 

 

If not properly secured, a broken authentication and session management scheme could result in an attacker impersonating a valid user.

How can broken authentication and session management be exploited?

When a visitor signs in to a website, the site uses a proprietary algorithm to generate a unique session ID. The visitor’s device then uses that session ID as a key to their identity for the remainder of their login session. All of this information has to be sent back and forth between the visitor and the server. If that information is not encrypted and is sent as plain text instead, it’s possible for someone to intercept a visitor’s session ID and/or credentials to impersonate that same visitor. This is especially true when operating on a public network (like a coffee shop wifi) that anyone else can access and possibly intercept.

Surviving a Data Breach

Another approach a cybercriminal could take is attempting a brute-force attack wherein they repeatedly try common passwords in an effort to guess a user’s correct password.  It is also possible for attackers to forge session IDs if they are not randomly generated. For example, if an attacker intercepts several legitimate session IDs that are enumerated, it is possible to guess the next legitimate session ID and access the site fraudulently. These are commonly referred to as man-in-the-middle attacks. 

How to protect yourself from broken authentication and session management

Use an SSL Certificate

SSL EncryptionTo prevent man-in-the-middle type attacks on your site’s sessions, it is important to encrypt this data in transit using an SSL certificate.  As the name implies, an SSL (secure socket layer) is a digital certificate that encrypts information sent between a web server and web browser.

 

 

 

Use a VPN

A VPN (virtual private network) is another effective way to protect yourself from broken authentication and session management. VPNs enable users to send and receive data across shared or public networks privately.

Implement a web application firewall (WAF)

You can prevent attackers from exploiting vulnerabilities or forging session IDs by using a web application firewall (WAF). A WAF is designed to scan and filter all incoming traffic to a website—it only lets good visitors in and keeps malicious ones out. In addition, a WAF allows website owners to enable what’s called two-factor authentication (2FA), which requires users to provide an on-demand, unique code when logging in, along with their username and password. The code itself is usually delivered via text message, making it much more difficult for a hacker to impersonate any one user or admin.

Enforce Strong Passwords

Regarding brute force attacks, mentioned earlier in this article, it’s a good practice to have password requirements for any and all registered users on a site (this includes admin accounts, especially!). Strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so the password can’t be easily guessed. 

In summary, broken authentication and session management has the potential to steal a user’s login data, or forge session data, such as cookies, to gain unauthorized access to websites. However, there are clear and easy solutions to prevent your site from being affected by this vulnerability. Click here to learn more about protecting your site with a web application firewall (WAF).