Owasp Top 10:A2: Broken Authentication (Impact and Mitigation)
Owasp Top 10: Broken Authentication (Impact and Mitigation)
What is Broken Authentication ?
Broken Authentication is a vulnerability, it usually found when the web application gives you unauthorized access to the web application. It may be User authentication credentials Or session IDs and so on. Authentication and session management having all aspects of handling user authentication and managing active sessions.
Authentication in web applications is mostly used to control users’ access to specific information. The most common security risks related to authentication and session management are: password theft, stealing session tokens and impersonating legitimate users. Application functions that lead to the authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, session tokens, or keys, or to exploit other implementation flaws to assume other users’ identities.
Business Impact of Broken Authentication
Consider the business value of the compromised data or application functions.Also, consider the business impact of public exposure to the vulnerability.
Technical Impact of Broken Authentication
Attackers only have to gain access to a few accounts, or just one admin account to compromise the system. Depending on the domain of the app, this may allow money laundering social security fraud and identity theft; or disclose legally protected highly sensitive information.
Mitigation for Broken Authentication
- Password Size: Minimum password length should be at least eight (8) characters long. Combining the length with complexity makes a password difficult to guess using a brute force attack.
- Password complexity: Passwords should be a combination of alphanumeric characters. Alphanumeric characters consist of letters, numbers, marks and conventional symbols.
- Username or Password Enumeration: Authentication failure responses should not indicate which part of the authentication data was incorrect. For example, instead of showing both “Invalid username” or “Invalid password”, just use “Invalid username and/or password” for both. Error response must be identical in both display and source code.
- Protection against brute force attack login: Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account needs to be deactivated for some period of time to discourage brute force guessing of credentials, but not so long as to allow for a denial-of-service attack to be performed.