This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top 10 2013-A2-Broken Authentication and Session Management

From OWASP
Revision as of 20:16, 16 February 2013 by Neil Smithline (talk | contribs)

Jump to: navigation, search

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

[[Top 10 {{{year}}}-Injection|← Injection]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Cross-Site Scripting (XSS)|Cross-Site Scripting (XSS) →]]
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
AVERAGE		 Prevalence
WIDESPREAD		 Detectability
AVERAGE		 Impact
SEVERE		 Application / Business Specific
Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions. Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique. Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted. Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Am I Vulnerable To 'Broken Authentication and Session Management'?

foo

How Do I Prevent 'Broken Authentication and Session Management'?

blank

  1. blankBullet1
  2. blankBullet2
Example Attack Scenarios

blank

blank code

blank

http://example.com/app/accountView?id=' or '1'='1

blank

References

OWASP

External

[[Top 10 {{{year}}}-Injection|← Injection]]
[[Top 10 {{{year}}}-Table of Contents | {{{year}}} Table of Contents]]

[[Top_10_{{{year}}}-Top 10|{{{year}}} Top 10 List]]

[[Top 10 {{{year}}}-Cross-Site Scripting (XSS)|Cross-Site Scripting (XSS) →]]
© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10_2013-A2-Broken_Authentication_and_Session_Management&oldid=144622"