A2: Broken Authentication
What Is Broken Authentication?
Broken Authentication is a broad category with various other security flaws bundled as a whole. Any security flaw which is associated to authentication or session management can be fallen into broken authentication category.
These days almost every websites seek for the user login to avail the services of the particular website, usually the login system consists of a username and an associated password. The pair of right credentials generates a unique session-id for each of its account holders and if it doesn’t go right, the accounts can be compromised and misuse the situation.
In simpler words, broken authentication is bypassing the authentication and getting hold of the accounts of the web application.
How Is The Application Vulnerable?
There may be authentication weakness if the application is:
▪️ Permits automated attacks such as credential stuffing, where the attacked has a list of usernames and passwords.
▪️ Permits brute force attacks or other automated attackes.
▪️ Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin“.
▪️ Has missing or ineffective multi-factor authentication.
▪️ Exposes Session IDs in the URL
▪️ Does not rotate Session IDs after successful login.
How To Prevent?
▪️ Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
▪️ Do not ship or deploy with any default credentials, particularly for admin users.
▪️ Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
▪️ Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
Some Widely Known Vulnerabilities:
→ Vulnerabilities in password based login:
For websites that adopt a password-based login process, users either register for an account themselves or they are assigned an account by an administrator.
This account is associated with a unique username and a secret password, which the user enters in a login form to authenticate themselves. In this scenario, the mere fact that they know the secret password is taken as sufficient proof of the user’s identity.
Consequently, the security of the website would be compromised if an attacker is able to either obtain or guess the login credentials of another user.
→ Vulnerabilities in multi-factor authentication:
While it is sometimes possible for an attacker to obtain a single knowledge-based factor, such as a password, being able to simultaneously obtain another factor from an out-of-band source is considerably less likely. For this reason, two-factor authentication is demonstrably more secure than single-factor authentication. However, as with any security measure, it is only ever as secure as its implementation. Poorly implemented two-factor authentication can be beaten, or even bypassed entirely, just as single-factor authentication can.
It is also worth noting that the full benefits of multi-factor authentication are only achieved by verifying multiple different factors. Verifying the same factor in two different ways is not true two-factor authentication. Email-based 2FA is one such example. Although the user has to provide a password and a verification code, accessing the code only relies on them knowing the login credentials for their email account. Therefore, the knowledge authentication factor is simply being verified twice.
→ Vulnerabilities in other authentication mechanisms:
In addition to the basic login functionality, most websites provide supplementary functionality to allow users to manage their account. For example, users can typically change their password or reset their password when they forget it. These mechanisms can also introduce vulnerabilities that can be exploited by an attacker.
