Managing user name and passwords has become a cumbersome task in today’s internet-driven world. However, managing user name and passwords is a necessary evil with the rapid growth in data, advancements in mobile and cloud technologies and the increasing plethora of security breaches seeming to happen every other day. As a result, authentication and session management has become more advanced to protect the data, systems and networks that our society relies upon.
Although the management of authentication and active sessions has come a long way over the past decade, it is nowhere near perfect. In fact, according to the Open-Source Web Application Security Project (OWASP) Top 10, a list of the 10 biggest web vulnerabilities, Broken Authentication and Session Management is number two on the most recent list – making it an area that still needs significant focus and improvement. Since the list originated in 2004, Broken Authentication and Session Management has always stayed on the top 10 list, despite improvements in the technology itself..
The reason why is these kinds of flaws can be extremely serious in web applications and put businesses at a very high risk to not only lose confidential data but to open back doors to the entire company to maliscious attackers. Attackers, both internal and external, can even take advantage of these flaws to steal accounts from others and impersonate the users. Once an account is hijacked, the attacker has the ability to do anything the account holder has permission to do which can result in serious consequences affecting the company’s viability as a whole.
Custom authentication and session management arrangements are built, such as logout, password management, timeout, remember me, secret question, and account update that often reveal these flaws. Although these custom schemes are more difficult to develop, they also create more dangerous weaknesses to rear their ugly heads.
There are numerous ways that an application may be vulnerable to these authentication and session management flaws. OWASP lists seven reasons an application may be vulnerable:
- User authentication credentials aren’t protected when stored using hashing or encryption.
- Credentials can be guessed or overwritten through weak account management functions.
- Session IDs are exposed in the URL.
- Session IDs are vulnerable to session fixation attacks.
- Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on tokens, aren’t properly invalidated during logout.
- Session IDs aren’t rotated after a successful login.
- Passwords, session IDs and other credentials are sent over unencrypted connections.
It is essential that throughout the application development lifecycle, tests are conducted to verify that the user credentials and session IDs are properly protected. There needs to be a single set of strong authentication and session management controls. Having a simple user interface for developers and following the OWASP’s Application Security Verification Standard are steps in the right direction. Also, avoiding XSS flaws that are used to steal session IDs can help prevent such vulnerabilities.
However, the biggest problem and why this issue continues to live on the OWASP top ten list year after year is that either the company believes that a security breach would never happen to them, or that it is very difficult to find talented security and development professionals to write secure code in the first place. Code Dx can help in this arena by affordably automating the security testing process so software with these vulnerabilities will not be launched publicly.