Broken Authentication is an application security risk that can allow malicious actors to compromise keys, passwords, and session tokens, potentially leading to further exploitation of users’ identities and in the worst case, complete control over the system.
In essence, the vulnerability boils down to an attacker being able to bypass the authentication mechanism of the vulnerable application due to logic errors or bugs in the software.
This class of vulnerability can affect any kind of software that implements access control to pretty much any application, including databases, network infrastructure applications, and web applications.
As with many of the risks listed on the OWASP Top 10, authentication vulnerabilities are not a new security topic, and often a malicious actor does not have to be highly technical to bypass poorly implemented identity and access controls… it makes an attackers job even easier given these controls are often entirely non-existent! As such, there should be no surprises to learn that it has been ranked as the second most critical risk affecting web applications on the OWASP Top 10 since 2013.
A successful attack can result in a malicious attacker gaining complete access to all data in the web application, assuming administrator rights, and compromising the confidentiality, integrity, and availability of the application.
This breach affecting German airline ticket dealer Aerticket was discovered in 2016 but reportedly in existence since 2011 (i.e., for five years). Millions of customers’ names, addresses, and credit card numbers were potentially exposed due to an implementation flaw wherein a string of digits, which should have been randomly generated, were not.
There are a variety of different Broken Authentication instances that attackers can leverage depending on the vulnerability within the implementation of the identity or access control. Some methods of exploitation and potential weaknesses include:
- Functionalities requiring authentication lack mechanisms or implement insufficient protections.
- Broken object-level protection mechanisms allow unauthenticated users to access private resources.
- The use of dictionary-based attacks or credential reuse on applications that permit automated attacks.
- The application permits the use of weak passwords, such as “password123” or “123456”.
- The application doesn’t encrypt or weakly encrypts passwords.
The utilization of updated security controls that ensure user identity, authentication, and session management is crucial if one is to prevent authentication attacks successfully. Yet very often, a Broken Authentication is the result of logical errors or oversights. Since Broken Authentication as a category includes so many attack vectors, there are plenty of potential weaknesses to be aware of.
For instance, applications should be checked for, and appropriately adjusted/implemented in, the following ways:
- Developers must properly implement session ID rotation following successful logins and ensure rules around session ID invalidation during logout or inactivity are correctly implemented.
- Developers must implement an effective password policy that disallows the use of weak or overused/common passwords.
- Developers must properly test authentication correctness in addition to the functional aspects of the application.
Verify that APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.