Broken Authentication and Session Management

Introduction to Broken Authentication and Session Management

Image taken from Auth0

Introduction

Broken Authentication can be understood as a set of vulnerabilities an attacker can exploit to impersonate a user on any online site. Authentication flaws remain one of the most widespread areas of exploitation in web security. These weaknesses occur due to improper handling of user credentials and sessions. Before taking up this topic, I would recommend the readers to extensively research on these topics — plenty of resources are available online.

These kinds of flaws in a system can be extremely harmful to a business putting them at a high risk. Once an account is compromised, the attacker can do anything the account owner is able to, which can have serious consequences. And if the account happens to be an administrator account with total control, it is essentially game over.

Types of Attacks to exploit Authentication flaws:

Credential Stuffing: When attackers gain access to a database with unencrypted details, they usually sell these lists to other attackers. Using the same credentials on multiple websites makes them vulnerable to brute force attacks using these lists. There are also lists available online with the most common used passwords across most sites(examples including the evergreen and beloved ‘password’ or ‘123456’ { ‘123456’ actually takes the top spot in the most used passwords of 2020, with ‘password’ coming in at the fourth position}).

• Password Spraying: Involves using the list of common passwords to break into a user’s account. You know how some websites lock us out after a limited number of attempts? Well, password spraying is immune to those mechanisms because rather than using multiple passwords to break into a single user’s account, it uses a single password to try and break into multiple accounts, one at a time.

Dictionary Attack: Method of breaking into an account by systematically entering every single word in the dictionary as a password.

Simple Brute Force Attack: An extremely popular method of trying to gain access into a system (those of you who’ve read Digital Fortress by Dan Brown will know). An attacker will try every possible combination of keys on your keyboard until it figures out the password. However the more complex the password, the more time it’ll take for the system to find out your password. Certain guidelines are to be followed to ensure this (for example — password length should have a minimum of 8 characters , mixing in special characters, numbers , uppercase letters and so on).

MITIGATION:

The mitigation of these flaws were relatively simpler compared to session management flaws, most resources are available easily online.

1. Ideally passwords need to be a mix of uppercase and lowercase letters with enough complexity, having numbers and special characters in the midst and of a sufficiently long length.

• Also remember to frequently change and update your login credentials.
• You can take the help of regex

Function code to check the password’s strength

2. When invalidating a login attempt don’t mention which aspect was wrong, i.e. rather than mentioning “invalid username” or “invalid password”, a more secure method would be to display “incorrect username or password” to prevent attackers from knowing which was wrong.

3. Enforcing disabling of the account after a limited number of tries for a little amount of time. It should be sufficient enough to discourage brute force attacks however not so long to allow Denial of Service attacks. (Flooding a target with traffic so that it is unable to receive requests and crashes).

4. Salting and Hashing of Passwords before storing it in the database. (*NEVER STORE SENSITIVE INFORMATION IN PLAIN TEXT)

• Salting refers to adding random data to the input of a hash function to generate a unique ‘hash’. (This way same passwords will display different hashes)
• npm package used : ‘bcryptjs’

Hashing Passwords

5. Multi Factor Authentication : The vulnerability of passwords towards credential stuffing and similar attacks demanded an extra level of security that’s harder for attackers to fake — examples being biometric scans or OTPs(One time passwords).

6. Inform a user every time someone logs into their account.

SESSION MANAGEMENT:

What is a Session? Essentially a server side storage of the users’ information to continue with activity on the web site. A session ID is a unique token generated for a session. A session ID makes sure that we do not have to keep logging in for each and every subsequent session.

• There is clearly a danger here if you observe carefully. If an attacker gains hold of a user’s Unique Session ID he can easily access someone’s account. Hence there is a need to generate secure ID’s.
• Sessions also need to be deleted after a certain period of time, according to the need. For example, on a banking account it is valid that the session ID be deleted within a few minutes after use, whereas on websites where it is required to be continuously logged in (take Netflix as an example) these sessions can persist for more time.
• Suppose a user accesses an account on a public computer and does not logout, rather simply closes the browser window and walks away. If an attacker uses the same browser an hour later, the initial user is still authenticated.
• The Developers need to make sure that the session IDs are not visible in the URL because this provides the attacker with easy access to the session details.

Session Management requires developers to take care of protecting the session ID, session data during transit, managing session duration and more.

MITIGATION OF SESSION BASED ATTACKS:

A significant portion of my time has gone into mitigating these session management issues, we need to be careful of when the session gets deleted and/or created.

1. Delete the session when the browser closes, rather than waiting for the user to explicitly log out, however don’t forget to delete the session after logout too.
2. Protect the session cookies in transit, configure these cookies to be only sent on secure HTTPS connections.

• This can be accomplished by adding a ‘Secure’ flag on your cookies

3. Prevent the cookies from being accessed by scripts (XSS Attacks).

• This can be accomplished by adding an ‘HTTPOnly’ flag on your cookies.

Add the appropriate tags to the cookie(s)

SESSION HIJACKING: Exploitation of the web session control mechanism, which is normally managed for a session token (OWASP definition). In layman terms, it’s when a user session is taken over by an attacker.

• A vulnerable application will not generate a new session ID upon login, hence leaving the app open to session hijacking if an attacker gets a hold of the cookie with the session ID on it.

To mitigate this attack, regenerate a new session ID upon login so that the old session ID will be rendered useless as the logged in user will have a new session ID(so even if an attacker gets a hold of the session cookie it is of no use).

References:

• https://auth0.com/blog/what-is-broken-authentication/
• https://www.packetlabs.net/broken-authentication/
• https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
• https://www.geeksforgeeks.org/broken-authentication-vulnerability/