Managing usernames and passwords has become a cumbersome task in today’s internet-driven world. However, this is a necessary evil due to the rapid growth in data, advancements in mobile and cloud technologies, and the increasing plethora of security breaches seeming to happen every other day. As a result, authentication and session management has become more advanced to protect the data, systems, and networks that our society relies upon.
Although the management of authentication and active sessions has come a long way over the past decade, it is nowhere near perfect. In fact, according to the Open-Source Web Application Security Project (OWASP) Top 10, a list of the 10 biggest web vulnerabilities, Broken Authentication and Session Management holds the number two spot—making it an area that still needs significant focus and improvement. Since the OWASP list originated in 2004, Broken Authentication and Session Management has remained on the top 10 list, despite improvements in the technology itself.
Why broken authentication and session management matters
According to the most recent OWASP Top 10 list, “Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.” Attackers can manually detect broken authentication and then use automated tools to exploit these weaknesses.
These kinds of flaws can be extremely serious in web applications. They put businesses at a very high risk. Not only can they expose confidential data, but they can also open back doors into the company, which can be exploited by malicious attackers. Both internal and external attackers can take advantage of these flaws to steal accounts from others and impersonate users.
Once an account is hijacked, the attacker has the ability to do anything the account holder has permission to do, which can result in serious consequences affecting the company’s viability as a whole. An attacker only needs access to a few accounts or just a single admin account to compromise the application. Depending on the purpose of the application, damage can range from identity theft to the leaking of highly sensitive personal information (or worse).
There are numerous ways that an application may be vulnerable to these authentication and session management flaws. OWASP lists a number of reasons why an application may be vulnerable, including:
- User authentication credentials aren’t protected when stored using hashing or encryption.
- Credentials can be guessed or overwritten through weak account management functions.
- Session IDs are exposed in the URL.
- Session IDs are vulnerable to session fixation attacks.
- Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on tokens, aren’t properly invalidated during logout.
- Session IDs aren’t rotated after a successful login.
- Passwords, session IDs, and other credentials are sent over unencrypted connections.
How to protect your application
The best way to protect your application from broken authentication is through a variety of application security solutions that address this issue. It is essential to address security throughout the application development lifecycle, beginning with design and continuing throughout the life of the product. The exact type and scope of your application will dictate the best steps to take to prevent broken authentication and session management issues, but there are general best practices that should be followed in every deployment:
- Use multi-factor authentication when possible.
- Do not deploy an application that contains any default credentials.
- Test the application for weak passwords.
- Implement strong password policies, which include character and length requirements, along with a set interval at which passwords must be changed.
- Limit failed login attempts and create an alert system to notify the appropriate individuals when a possible session attack is underway.
- Do not store session IDs in the URL; they should be securely stored and invalidated after a user logs out of the application.
- Use a secure session manager that creates a unique session ID after each login.
- Conduct thorough application security testing to verify that user credentials and session IDs are properly protected.
- Set appropriate session timeouts.
- Follow the OWASP Application Security Verification Standard as a baseline for creating a secure application.
- Implement a single set of strong authentication and session management controls.
- Use an SSL (Secure Socket Layer) certificate or a VPN (Virtual Private Network) to encrypt data.
Testing for broken authentication and session management (along with other potential application vulnerabilities) may seem daunting, but there are tools that streamline the AppSec testing process. An Application Vulnerability Manager correlates the results from a myriad of AppSec tools, so your team does not have to waste time sorting through and comparing results.
Instead, you get one report in a standard format that arms you with the information needed to identify which application vulnerabilities are real and exploitable. This type of tool not only helps identify broken authentication issues, but it improves the security of your application across all vulnerabilities.
When it comes to authentication, there are some more sophisticated options becoming more popular that are worth mentioning:
Two-factor authentication is exactly what the name implies—the requirement of two steps in the authentication process. The first step is typically a password, while the second requirement could be a number of options. It may be an SMS message, a code generated by an authentication app, or even a fingerprint.
Obviously, two-factor authentication increases security and makes it more difficult for an attacker to gain access. The right combination of authentication requirements depends on such factors as ease of use and, of course, security. Applications requiring higher levels of security should opt for a combination that is more difficult to breach.
Single sign-on (SSO)
Single sign-on (SSO) authentication is the use of a single service to authenticate users’ access across multiple accounts. This can be accomplished through an SSO website that verifies the user’ identity or through a third-party federated services provider.
The latter approach allows organizations to hand off authentication issues to a company that specializes in that area. SSO authentication also provides a better user experience, since users do not need to log in to multiple systems and remember various username and password combinations. When selecting a provider, we recommend avoiding a password-based solution, as these are less secure and can give an attacker access, with one password, to many of your systems.
Risk-based authentication (RBA)
Thanks to Machine Learning technology, applications can monitor a user’s behavior and identify patterns relating to when they normally log in (or out), which device(s) they normally use, and the typical actions they perform in the app. Deviations from these norms generate a risk score that triggers a series of actions—ranging from requiring the user to respond to challenge questions, proving ownership of a questionable device, or even requiring admin approval for access. RBA is being adopted by more organizations given the added protection it affords for authentication.
While there is a lot to cover to protect your application against broken authentication and session management, it is well worth the effort—and necessary. Organizations cannot afford to deal with the fallout from an authentication breach, especially if it results in compromising sensitive information. Fortunately, following the tips laid out here and using tools to streamline the process and track progress makes it easier to build a secure application.