What Is Broken Authentication?
Broken authentication refers to something that lets somebody log in to an account they’re not supposed to have access to. It implies that vulnerabilities are present in a specific website or application that let an attacker sidestep the standard security measures to achieve unauthorized entry. They’re attempting to log into a victim’s account like normal, with all the regular capabilities and practicality. Since they’re impersonating the user, they can perform actions under the guise of their identity and maybe view sensitive personal and financial information.
There are many other ways during which the authentication can be broken. We can deal with passwords, session IDs, keys, user account details, and different information that may harm a victim. Regardless, the goal is to take over an account and everything that comes with it.
Broken authentication may be discovered via either manual or automated means. Once a vulnerability is found, a hacker will exploit it with programs that use things like password lists and dictionary attacks to make their way inside a system.
Broken authentication is a broad term that may consult with 2 differing weaknesses that relate to session management or credential management.
Session Management Vulnerabilities
In Session Management Vulnerabilities, a session ID is created and assigned to a user whenever they log in to a website. The session ID is employed to trace what the user does and helps the site respond to the user’s actions.
If an attacker gets a hold of a user’s session ID while logged in, that’s essentially as good as having their password. They can impersonate the user and perform actions on the website using the stolen session ID.
Developers should treat session IDs as if they were passwords. It’s critical to make sure there aren’t any vulnerabilities or loopholes that attackers could take advantage of.
Credential Management Vulnerabilities
When we think of attackers gaining unauthorised access to an application, the first thing that comes to mind is the theft of usernames and passwords. Proper credential management is crucial for the users of any system, and applications themselves should take all possible precautions when dealing with passwords and their creation.
In this case, broken authentication happens when a site fails to protect its users from attackers that try to gain access via hacked or stolen passwords.
Types of Broken Authentication Attacks
Verified Session IDs may be hijacked to impersonate user identities. Suppose a user forgets to log out from a public computer. In that case, any other individual will continue that session, using the same Session ID that was antecedently created for the original user. If an identical ID is issued before and after authentication, it may lead to a broken authentication attack, referred to as Session Fixation attacks.
Session ID URL
The Session ID appears in the website URL, and it can be used to impersonate the user’s identity by anyone who accesses the URL via a wired or wireless network.
Sometimes, hackers access a database containing unencrypted user passwords and may often employ tactics to determine if the passwords are valid and functional. This is known as credential stuffing, and any secure web application must have protocols in place to prevent it.
Password-complexity requirements help protect against Password Spraying. This is similar to Credential Stuffing. Therein it’s a kind of brute force attack. In this case, attackers use lists of the most common and weak passwords. This technique typically pays off considering how often “password”, “123456”, and similar strings are used as passwords.
Here, hackers use an authentic-looking login screen to trick users into providing their credentials. These attempts can be prevented by avoiding suspicious links, verifying the website in question, and following email security best practices. Admins will protect their users’ accounts by implementing multi-factor authentication.Even if a phishing attack is successful, the hacker will face another challenge before gaining account access.
What Makes an Application Vulnerable to Broken Authentication?
Broken authentication risks should always be considered, no matter what website or application you’re looking at. The following items should be avoided at all costs because they may expose users to broken authentication attacks:
- Permitting a large number of incorrect login attempts enables Credential Stuffing attacks
- Permitting weak or commonly-used passwords
- Using clear text passwords and failing to properly encrypt them
- Not requiring multi-factor authentication
- Exposing session IDs in URLs
- Not changing the session ID after every session
- Allowing the transmission of passwords or session IDs over HTTP
- After periods of inactivity, session IDs are not invalidated.
Various broken authentication OWASP recommendations can help organizations understand how to prevent broken authentication, and a few of them are as follows.
Regulate session length
The web application should be able to finish web sessions after a period of inactivity that depends on the user’s requirements. To avoid the risk of session IDs being hijacked, a secure banking portal, for example, should automatically log out the user after a few minutes.
Improve session management
After every successful authentication, the web application should be ready to issue a new Session ID. These IDs must be invalidated shortly after a session ends to forestall any misuse.
Multi-factor Authentication (MFA)
Among the OWASP top 10 broken authentication, the primary tip is implementing multi-factor authentication to forestall attacks. To verify the user’s identity, MFA requires an additional credential. A One-Time Password (OTP) message to the user that enables verification is an example of MFA.
Disallow weak passwords
Users must be required to line passwords of a selected length containing special characters, letters, and numbers to forestall credential theft. Therefore, those passwords that don’t meet the desired complexness and length should be automatically rejected.
Breached password protection
Employ a breached password protection mechanism that locks the accounts of users whose passwords are compromised till they verify and alter the password to a new one. This ensures that the organisation is notified if passwords are stolen.
Strict credential recovery method
The process to recover credentials should be strict, involving multiple verification checks to confirm that attackers do not misuse such recovery options.
Secure password storage
Passwords should be encrypted, hashed, and preserved because it helps block brute-force attacks or other attempts to infiltrate password databases.
Employ brute-force protection
Applications should set a maximum limit for user-login attempts from a selected IP address to forestall brute-force and credential stuffing attacks. Any user exceeding this limit should be disallowed from making any further attempts.
Some additional methods to prevent Broken Authentication are:
- Limit unsuccessful login attempts
- To protect passwords and session IDs, make all URLs HTTPS.
- Keep an up-to-date password blocklist of credentials compromised in various data breaches
- Alert administrators of multiple login failures
- Store session IDs in cookies, not URLs