Cloud Hosting

This Common OWASP Top 10 Vulnerability Lets Hackers Take Over User & Admin Accounts Learn How to Protect Against Broken Authentication and Keep Them Out

How many different users log in to your businesss systems everyday? For most companies, its a significant number. These days, more and more services are requiring our credentials from work accounts to banking to entertainment and much more. When users log in, they assume their credentials and account are safe, right? After all, thats the point of having secure, SSL-protected pages in the first place to keep them protected. And thats usually the case unless broken authentication is involved.

Broken authentication is a major issue plaguing internet users, and it has risen to the number two spot on the OWASP Top 10 List for a reason. A 2019 study by Positive Technologies found that 45 percent of web applications had vulnerabilities relating to broken authentication. These weaknesses let attackers gain unauthorized access to accounts and ultimately carry out illegal activities such as identity theft, money laundering, fraud, or stealing confidential data.

Improper configurations or poor design can result in broken authentication, as can human-related factors. For example, a 2019 survey from the National Cyber Security Centre in Great Britain found a whopping 23.2 million instances of 123456 being used as a password. Similarly, millions more used common and easy to guess passwords including vulgar words, sports teams, and of course the ultra-secure password.

So, what is broken authentication exactly? What are the different types of attacks? And how can you protect your site and your users against broken authentication?

Lets hash it out.

Broken authentication refers to anything that lets someone log in to an account theyre not supposed to have access to. It means that there are vulnerabilities present in a particular website or application that lets an attacker sidestep the standard security measures in order to gain unauthorized entry. Basically, they are trying to log into a victims account like normal, with all the regular capabilities and functionality. Since they are impersonating the user, they can perform actions under the guise of their identity and may be able to view sensitive personal and financial information, as well.

There are several different ways in which the authentication can be broken. We can be dealing with passwords, session IDs, keys, user account details, and other data that can help impersonate a victim. Regardless, the ultimate goal is to take over an account and all that comes with it.

Broken authentication can be discovered via either manual or automated means. Once a vulnerability is found, a hacker can exploit it with programs that employ things like password lists and dictionary attacks to make their way inside a system.

Broken authentication is a broad term that can refer to two different types of weaknesses those relating to either session management or credential management.

For a closer look at session management vulnerabilities, check out our previous article on session hijacking. Basically, a session ID is created and assigned to a user whenever they log in to a site. The session ID is used to track what the user does and helps the site respond to the users actions.

If an attacker can get a hold of a users session ID while they are logged in, then that is essentially as good as having their password. They can use the stolen session ID to impersonate the user and perform actions within the website. The image below illustrates how a session hijacking attack works:

Developers should treat session IDs the same as passwords themselves. Its critical to verify that there are no weaknesses or loopholes that can be exploited by attackers.

The theft of usernames and passwords is the first thing that usually comes to mind when we think of attackers gaining unauthorized access to an application. Proper credential management is critical for the users of any system, and applications themselves must take all possible precautions when dealing with passwords and their creation.

In this case, broken authentication occurs when a site fails to protect its users from attackers that try to gain access via hacked or stolen passwords.

Now that we know what broken authentication refers to and the two main categories of vulnerabilities, lets take a look at the most common types of attacks:

Broken authentication risks should always be considered, no matter what kind of website or application youre looking at. The following items will potentially expose users to broken authentication attacks and should be avoided at all costs:

Now that weve examined things you should avoid to minimize broken authentication risks, lets take a look at some best practices to use instead:

Broken authentication is a relatively straightforward and simple concept, and the vulnerabilities that enable broken authentication attacks can usually be easily prevented. By designing your site or application with authentication best practices in mind, you can eliminate the potential headaches that might spring up later on when hackers are searching for exploits. Even if you have to go back and modify what youve already created, its still worth taking the extra time and effort. After all, it only takes a single attack to erode user trust and damage the brand youve worked so hard to build.

View post:
Everything You Need to Know About Broken Authentication - Hashed Out by The SSL Store - Hashed Out by The SSL Store