This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Top 10-2017 A2-Broken Authentication
Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
---|---|---|---|---|---|
App Specific | Exploitability AVERAGE |
Prevalence COMMON |
Detectability AVERAGE |
Impact SEVERE |
Business ? |
Consider anonymous external attackers, as well as authorized users, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions. |
Attackers use leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to temporarily or permanently impersonate users. |
Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, create account, change password, forgot password, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique. |
Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted. |
Consider the business value of the affected data or application functions. Also consider the business impact of public exposure of the vulnerability. |
Am I Vulnerable To 'Broken Authentication'?
Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:
See the ASVS requirement areas V2 and V3 for more details. |
How Do I Prevent 'Broken Authentication'?
The primary recommendation for an organization is to make available to developers:
|
Example Attack Scenarios
Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems;
sessionid=268544541&dest=Hawaii An authenticated user of the site wants to let their friends know about the sale. User e-mails the above link without knowing they are also giving away their session ID. When the friends use the link they use user’s session and credit card. Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and that browser is still authenticated. Scenario #3: An insider or external attacker gains access to the system’s password database. User passwords are not properly hashed and salted, exposing every users’ password. |
References
OWASP
External |