Broken Authentication and Session Management
(Broken Authentication and Session Management)
This vulnerability, known as Broken Authentication and Session Management in English, is known as Broken Authentication and Session Management in our language. OWASPIn the list of the most popular vulnerabilities published by . Second is located. Before we talk about the details, let's talk about what this vulnerability is.
|Broken Authentication and Session Management
What is Broken Authentication?
It occurs as a result of non-implementation or misapplication of the functions related to authentication and session management of the application functions. Using this vulnerability, attackers can guess passwords, keys, tokens or other users' information, brute force They can reveal the identities of users by performing (brute force attacks).
How Does Broken Authentication Vulnerability Affect the System?
Attackers often have to access several standard user accounts or an administrator account to compromise a system. Depending on the domain of the application hosting the Broken Authentication vulnerability, this situation; Social engineering (phishing) attacks can lead to very negative situations such as identity theft, revealing legally protected information, leaking personal data and even infiltrating the system.
How to Detect Broken Authentication Vulnerability?
The presence of a Broken Authentication vulnerability in an application can be detected by checking the following items.
- If brute force allows attacks.
- If it allows default passwords.
- It carries session ID values via URL.
- If it does not change session ID values after successful login.
- If weak signing/encryption algorithms are used.
How to Avoid Broken Authentication?
There are some techniques that can be applied to prevent the exploitation of this vulnerability;
- Pay particular attention to single-use generated links such as password reset.
- User tokens are not kept active for a long time.
- Implement as many layers of authentication (MFA, 2FA) as possible to prevent automated attacks, dictionary attacks, brute force attacks, and reuse of stolen login credentials.
- Not using any default login information especially for admin users.
- Password length, complexity, and enforcement of change policies.
- Using the same message for all results, such as logging in, registering. For example, if there is an error in the user name and password entry, instead of specifying which one it is, "username or password" is expressed as wrong.
- Using the same error message for incorrect logins in functions such as logging in, registering. To put it more clearly; for example, if the password is typed incorrectly in the username and password input field, an error message such as “username or password is incorrect” is not revealed, which is the wrongly typed user information.
- Limiting or incrementally delaying failed login attempts.
- Logging of all failed attempts.
- Session ID values not found in the URL.
- Termination of session ID values after session ends, inactive for a certain period of time, or after expiration.
- Using SSL (Secure Sockets Layer).
- Robot control in login and registration processes.
We recommend you to get Cyber Security Consultancy and Penetration Testing services from a professional company in order to be aware of the security vulnerabilities that may exist in your systems and to have the opportunity to create the necessary precautionary plans before a possible cyber attack knocks on your door.