Broken Authentication
Description
Broken Authentication is an application security risk that can allow malicious actors to compromise keys, passwords, and session tokens, potentially leading to further exploitation of users’ identities and, in the worst case, complete control over the system.
In essence, the vulnerability boils down to an attacker being able to bypass the authentication mechanism of the vulnerable application due to poor configuration, logic errors, or bugs in the software.
This class of vulnerability can affect any kind of software that implements access control to pretty much any application, including databases, network infrastructure applications, and web applications.
As with many of the risks listed on the OWASP Top 10, authentication vulnerabilities are not a new security topic, and often a malicious actor does not have to be highly technical to bypass poorly implemented identity and access controls… it makes an attackers job even easier given these controls are often entirely non-existent! As such, it should be no surprise to learn that it has been categorized as a critical risk affecting web applications on the OWASP Top 10 since 2013.
Impact
A successful attack can result in a malicious attacker gaining complete access to all data in the web application, assuming administrator rights, and compromising the application’s confidentiality, integrity, and availability.
Scenarios
There are a variety of different Broken Authentication instances that attackers can leverage depending on the vulnerability within the implementation of the identity or access control. Some methods of exploitation and potential weaknesses include:
- Functionalities requiring authentication lack mechanisms or implement insufficient protections.
- Broken object-level protection mechanisms allow unauthenticated users to access private resources.
- Missing protections against dictionary-based attacks or credential reuse.
- The application permits the use of weak passwords, such as “password123” or “123456”.
- Exposure of session IDs, allowing attackers to reuse valid session IDs to hijack an active user’s session.
Prevention
The utilization of updated security controls that ensure user identity, authentication, and session management is crucial if one is to prevent authentication attacks successfully. Yet, very often, a weak authentication is the result of logical errors or oversights.
The following controls can strengthen your authentication when appropriately implemented:
- Implement Multi-Factor Authentication (MFA). MFA can significantly reduce the risk of unauthorized access by requiring users to provide multiple forms of identification (something they know, something they have, or something they are). The other form of verification can be a code sent to a mobile device, a fingerprint, or a hardware token.
- Implement an effective password policy that disallows the use of weak or overused/common passwords.
- Implement password retry lockout.
- Protect session IDs, such as cookies or tokens, and rotate them following successful logins.
- Ensure rules around session ID invalidation during logout or inactivity are correctly implemented.
- Use community-vetted frameworks, libraries, and patterns to embed secure authentication in your software.
- Implement additional perimeter access control security such as IP allow-list and use of bastion hosts.
Testing
Verify that APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.
- OWASP ASVS: 1.2
- OWASP Testing Guide: Authentication Testing
Table of contents
- Broken Authentication in AWS
- Broken Authentication in Android
- Broken Authentication in CI/CD
- Broken Authentication in Go Lang
- Broken Authentication in Java
- Broken Authentication in Kubernetes
- Broken Authentication in NodeJS
- Broken Authentication in PHP
- Broken Authentication in Python
- Broken Authentication in Scala
- Broken Authentication in iOS