OWASP Top 10 - Broken Authentication

Hey Folks!!!

In this blog we will take a deep dive into

1. Difference between Authentication and Authorization.
2. What is Broken Authentication?
3. What are authentication vulnerabilities?
4. What are the prevention measures?

Difference between Authentication and Authorization.

Authentication is the process of verifying that a user is who they claim to be. Authorization gives those users permission to access a resource, or we can say it involves verifying whether a user is allowed to do something.

For example, authentication determines whether someone attempting to access a website with the username Atharv really is the same person who created the account.

Once Atharv is authenticated, their permissions determine what they are authorized to do. For example, they may be authorized to access personal information about other users or perform actions such as deleting another user's account.

What is Broken Authentication?

Broken authentication vulnerability arises when there is weakness in authentication and session management function that allows attackers to compromise passwords, keys, session tokens, and user account information, enabling then to assume user identities. The root cause of this vulnerability is poorly implemented authentication and session management functions. Attackers can use broken authentication to gain unauthorized access to one or more accounts, granting then the same privileges as legitimate user. Some common flaws which are actively exploited by attackers are:

• Brute force attacks: If a web application uses usernames and passwords, an attacker is able to launch brute force attacks that allow them to guess the username and passwords using multiple authentication attempts.
• Use of weak credentials: web applications should set strong password policies. If applications allow users to set passwords such as ‘password1’ or common passwords, then an attacker is able to easily guess them and access user accounts. They can do this without brute forcing and without multiple attempts.
• Weak Session Cookies: Session cookies are how the server keeps track of users. If session cookies contain predictable values, an attacker can set their own session cookies and access users’ accounts.

What are authentication vulnerabilities?

Authentication vulnerabilities refer to weaknesses in the processes and mechanisms used to verify user identities, making websites and applications susceptible to unauthorized access and data breaches.

Most vulnerabilities in authentication mechanisms occur in one of two ways:

• The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
• Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes called “broken authentication”.

In many areas of web development, logic flaws cause the website to behave unexpectedly, which may or may not be a security issue. However, as authentication is so critical to security, it’s very likely that flawed authentication logic exposes the website to security issues.

Most common Authentication Vulnerabilities

Here are seven of the most common authentication-based vulnerabilities to watch out for:

1. Phishing Attacks
2. Credential Stuffing
3. Weak Passwords
4. Insecure Authentication Protocols
5. Brute Force Attacks
6. Session Hijacking
7. Lack of Multi-Factor Authentication

What are the preventive measures?

There can be various mitigation for broken authentication mechanisms depending on the exact flaw:

• Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide multiple forms of identification, reducing the risk of unauthorized access.
• Enforce Secure Password Policies: Implement strong password requirements and disallow the use of weak or common passwords to enhance authentication security.
• Protect Session IDs: Ensure that session IDs, such as cookies or tokens, are safeguarded and rotated after successful logins to prevent session hijacking.
• Session Management: Properly invalidate session IDs during logout or inactivity and enforce secure session management practices to mitigate authentication vulnerabilities.
• Use Secure Frameworks and Libraries: Employ community-vetted frameworks, libraries, and secure coding patterns to embed robust authentication mechanisms in software applications.
• Regular Security Audits: Conduct regular security audits to identify and address any vulnerabilities in the authentication process.