The OWASP Top 10: Broken Authentication & Session Management

Did you know a whopping 113 million websites contain a security vulnerability? That’s approximately six percent of all websites globally.

A website vulnerability is a weakness in website code that cybercriminals can exploit to gain unauthorized access to a site—and a mere one vulnerability has the power to impact over 1,000 pages on a single website.

Let’s talk about one of the most common types of vulnerabilities on the OWASP Top 10: broken authentication and session management. Simply stated, broken authentication and session management allows a cybercriminal to steal a user’s login data, or forge session data, such as cookies, to gain access to websites.

What is the OWASP Top 10?

The OWASP Top 10, short for Open Web Application Security Project, is a list of the 10 most dangerous Web application security flaws today (including broken authentication and session management). According to owasp.org, its purpose is to drive visibility and evolution in the safety and security of the world’s software.

What is Broken Authentication and Session Management?

Many websites require users to login to access their accounts, make a purchase, etc. More often than not, this is done using a username and password. With this info, a site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity on the server.

If not properly secured, a cybercriminal can impersonate a valid user and access that user’s account, resulting in a broken authentication and session management attack.

How Can Broken Authentication and Session Management Be Exploited?

When a visitor signs in to a website, the site uses a proprietary algorithm to generate a unique session ID. The visitor’s device then uses that session ID as a key to their identity for the remainder of their user session.

All of this information has to be sent back and forth between the visitor and the server. If that information is not encrypted and is sent as plain text instead, it’s possible for someone to intercept a visitor’s session ID and/or credentials to impersonate that same visitor. This is especially true when operating on a public network (like a coffee shop wifi) or a public computer that anyone else can access and possibly intercept.

Another approach a cybercriminal could take is attempting a brute-force attack wherein they repeatedly try common weak passwords in an effort to guess a user’s correct password. It is also possible for attackers to forge session IDs if they are not randomly generated. For example, if an attacker intercepts several legitimate session IDs that are enumerated, it is possible to guess the next legitimate session ID and access the site fraudulently. These are commonly referred to as man-in-the-middle attacks.

How to Protect Yourself and Your Website

Use an SSL Certificate

To prevent man-in-the-middle type attacks on your site’s sessions, it is important to encrypt this data in transit using an SSL certificate. As the name implies, an SSL (secure socket layer) is a digital certificate that encrypts information sent between a web server and web browser.

Use a VPN

A VPN (virtual private network) is another effective way to protect yourself from broken authentication vulnerabilities. VPNs enable users to send and receive data across shared or public networks privately.

Implement a Web Application Firewall (WAF)

You can prevent attackers from exploiting vulnerabilities or forging session IDs by using a web application firewall (WAF). A WAF is designed to scan and filter all incoming traffic to a website—it only lets good visitors in and keeps malicious ones out.

In addition, a WAF allows website owners to implement multi-factor authentication, which requires users to provide an on-demand, unique code when logging in, along with their username and password. The code itself is usually delivered via text message, making it much more difficult for a hacker to impersonate any one user or admin.

Enforce Strong Passwords

Regarding brute force attacks, mentioned earlier in this article, it’s a good practice to have access control and password policies for any and all registered users on a site (this includes admin accounts, especially!).

Strong passwords do not include complete words, but rather are a mix of random letters (both uppercase and lowercase), numbers, and symbols, so users’ passwords can’t be easily guessed. Minimum password lengths should also be required and users should be required to update their passwords after multiple failed login attempts are detected.

In summary, broken authentication and session management is a major security risk. It can allow a hacker to steal a user’s sensitive data, or forge session data, such as cookies, to gain unauthorized access to websites. However, there are clear and easy solutions to prevent your site from being affected by this vulnerability. Learn more about protecting your site with a web application firewall (WAF).