These days as we are heading more and more toward the digital world, we see more Web Applications and Cloud applications and hence is the need of the hour to understand Web Security. Data security and privacy are of the utmost importance in today’s world where data is the powering engine for almost everything in and around us. One such security threat that has topped the Web Application Security Threats list is Broken Authentication.
What is Broken Authentication?
Firstly let us understand what is authentication, Authentication is a process of verifying a user or device before allowing access to a system or resource.
Broken authentication attack as the name suggests, is an attack where an attacker tries to break into the system by gaining access to a User account. There are various methods which could lead to this like:
Weak password policies, Insecure Storage of Credentials, Insecure Session Management, Session Fixation, Insufficient Account Lockout, Session Timeout Issues, Insecure Password Recovery Mechanisms.
What, you don’t agree it is a big threat!
Well, I don’t just talk with words; I communicate with facts. Let me share a few of them here:
https://thehackernews.com/2016/12/yahoo-hacking.html?source=post_page—–12dee05291c9——————————–
I guess these many proofs are enough to understand that Broken Authentication is a big thing.
Understanding each of these attacking methods in detail
1. Weak Password Policies:
Let’s understand first what is a password policy. A password is made up of a number of characters which includes alphabets, numbers, and special characters. Similarly, passwords can vary in length. Many people prefer shorter passwords, typically around 4–5 characters, for easier memorization. All these rules collectively form your password policies.
Now let’s explore what weak password policies are and how they could lead to an attack:
- Short and Simple Passwords: Allowing passwords that are too short or easy to guess, like “1234” or “password.”
- Allowing Common Words: Allowing passwords that are common words or phrases, making them easier for attackers to guess, like “iloveyou”, “admin”, and “password123”.
- No Special Characters: Not requiring the use of special characters like !, @, or # in passwords, which makes them less complex.
- Not Checking Against Known Weak Passwords: Failing to check if the chosen password is commonly used or known to be weak.
- Lack of Multi-Factor Authentication (MFA): Not encouraging or enforcing the use of multi-factor authentication, which adds an extra layer of security beyond just a password.
- Using Personal Information: Allowing the use of personal information such as name, date of birth, website name, etc., like “john123”, or “ram1905”, makes it very easy to predict.
Many attackers use the Brute force attack, where they systematically try out all possible combinations of passwords until they find the correct one.
2. Insecure Storage of Credentials
“Insecure Storage of Credentials” refers to a security vulnerability where sensitive information like usernames and passwords is stored in an unsafe manner, making it susceptible to unauthorized access. Storing user passwords insecurely, such as storing them in plaintext or weekly hashed formats like SHA1 and MD5, may lead to vulnerabilities.
3. Insecure Session Management
A session is a period of time during which a user interacts with a website, application, or digital product after successfully logging in. Did you notice in banking sites or mobile apps, if you are not active for around 15–20 minutes and when you make any action it says “Your session has expired for security reasons. Please log in again to continue accessing your account.”
Now, just imagine, that if a hacker gains access to your session, they can perform actions on that website/app on your behalf. Very scary right?😨
Poorly managed session tokens can lead to vulnerabilities. For example, session tokens that are easily predictable or not securely generated may be subject to session hijacking.
4. Session Fixation
Session fixation occurs when an attacker sets a fake session before the legitimate users can log in. Now when the user tries to log in, they will use the same session cookie that the attacker already knows, and thus the attacker-owned cookie is now authenticated and can be exploited.
5. Insufficient Account Lockout
Insufficient Account Lockout or Insufficient Session Logout is a vulnerability that can be commonly found in web applications and APIs and occurs when a web application fails to properly terminate a user session, thereby allowing a hacker to reuse it and gain access to a valid user session.
6. Session Timeout Issues
The session timeout determines the time a user can remain idle before the session is terminated and the user must log in again.
Hence, Session Timeout Issues refer to security vulnerabilities that arise when a web application does not have an adequate session timeout which means the timeout duration of a user session in a web application is either too long or too short, leading to potential security risks. It can leave the user’s session open for an extended period, allowing unauthorized access to their account and sensitive information.
7. Insecure Password Recovery Mechanisms
Password Recovery is a mechanism that allows user to reset their password in case they find it difficult to access their account using their original password or they are unable to recall their original password. You can see most of the login forms have a ‘forgot password’ option at the bottom. Clicking on it takes you through the Password Recovery flow.
Insecure Password Recovery Mechanisms refer to vulnerabilities in the recovery method that allow an attacker to reset the password of another user without their consent. Insecure password recovery mechanisms may involve sending reset links over unencrypted email, allowing attackers to intercept them. Additionally, weak identity verification, easily guessable security questions, or failure to notify users of recovery attempts can compromise account security. For instance, if a recovery process lacks proper safeguards, an attacker might exploit it to gain unauthorized access to a user’s account.
Let me know your thoughts