Eilon Elhadad
Apr 11 · 10 min read
Logging in to websites to access your accounts isn’t as secure as you might think. Your username and password are supposed to help secure all sensitive data, be it your credit card number, personal info, or any critical corporate data. However, an attacker can impersonate your virtual identity, thereby gaining access to your account, through vulnerabilities you could be unaware of. There are multiple root causes that lead to such attacks, like when an attacker gains unauthorized access by stealing credentials or forging session data. Termed as ‘Broken Authentication’, this vulnerability is one of the most widely used attack vectors in recent cybersecurity history. In fact, it managed to climb to the number 2 spot in the ‘OWASP Top 10’ Web Application Security list in 2017 & 2020.
When you log in to a website, your virtual identity is secured by the web server that generates a unique session ID for your connection. This session ID is used as a key throughout the period of your logged-in session. There is constant data exchange between your system and the web server, which, if unencrypted, can be easily intercepted. This will enable an attacker to hijack your session, forge the session ID or even steal your credentials. Session IDs are used in the format of cookies and URL endpoints. That is why Broken Authentication is always coupled with Session Management exploitation.
Broken authentication is quite often confused with Broken Access Control. The major difference is, while authentication is focused on validating your virtual identity, Access Control includes what privileges you should or should not be having after your login. Broken Access Control is another Top 10 OWASP vulnerability, through which unauthorized website visitors can view or gain control of admin panels, servers, or even critical databases, all through elevated privileges.
When access and identity controls are improperly designed and configured, web applications become more prone to Broken Authentication. The associated risk factors involve:
Usually, login credentials are stored in databases in an encrypted format. If the stored credentials are exposed in plain text, without any security protocols or weak hashing algorithms, attackers are bound to discover them and make use of this vulnerability.
During the authentication process, in case of an error, the application should not indicate which parameter is wrongly entered. Say if you provide the username correctly and mistype the password, the application should mention ‘Invalid Username or Password’ instead of just ‘Invalid Password’. This can give an attacker the required hint to proceed with bypassing the authentication.
If the session ID is exposed in the URL itself, then it can easily be rewritten or modified, and your session can be forged. This process is also known as URL rewriting.
Unencrypted or poorly managed session IDs are vulnerable, making it convenient for attackers to gain control of your valid session. This is known as a Session Fixation attack. You are then manipulated to use the session as per the purpose of the attacker.
If an inactive session does not time out or the session value fails to get invalidated after logout, the session ID can be compromised by lurking attackers.
You should enable account locking/disabling after a maximum number of invalid login attempts are made. In banking websites, the threshold is set to 3 attempts, while for a few other applications, the norm is 5 attempts. After the said threshold is reached, your account should be disabled for a certain time to put off a brute force attack.
An API (Application Programming Interface) is used to enable intercommunication between multiple applications. While configuring such API Security, it is not feasible to prompt users or systems for their login credentials. Implementing any authentication factor in an API would also require frequent manual intervention. Hence, authentication in APIs is usually done through access tokens that are integrated within each API call, for user authentication. This mechanism is what attackers prefer to target in advanced attacks. Publicly available APIs are the prime targets.
Some APIs may not have any authentication mechanism, as developers overlook its requirements, especially if the API endpoints are intended for unauthorized direct application communication. This makes it fairly simple for attackers to leverage this risk factor and use such weak API keys to exploit your account.
Authentication specific APIs should regard access security with the highest priority, by stacking additional security layers with hardened authentication tokens to prevent any unauthorized access.
Each API is designed to serve a specific purpose and system. Ignoring its intended mechanism and potential attack vectors might do more harm than good.
There could be a number of technical factors causing broken authentication in APIs, a few of which are:
APIs are primarily used for direct API communication or system communication. The authentication mechanism or session values in these APIs could be exploited to gain unauthorized access to your account. Similar attacks are also executed on cloud-native applications by compromising the workload authentication and API metadata services at the server-end.
Among the methods used by attackers, a few of the most common Broken Authentication attacks include
Whenever using any web application, you should always change the default credentials. Suppose you install a DevOps web app, integrate it with other services, and use it without bothering to change its default username and password. As soon as an attacker discovers which version of the application you are using, the first thing tried will be to use the default credentials to access the admin account. Once that is done all your sensitive data is compromised. System Administrators should take extra care in ensuring that the default credentials are always changed.
Similar to a brute force attack, in credential stuffing, attackers could have already gained access to your database through exploiting a vulnerability. Using that database, several credential combinations are attempted for user authentication, and they can eventually access your accounts.
At times, the credentials provided during the application authentication process are not properly cross-checked with the credential values in the application database. This lack of validation allows an attacker to bypass the authentication process completely.
Common passwords can easily be guessed by an attacker and when combined with a Brute Force attack, the login can be bypassed to access your account. The same goes for default passwords.
In this technique, an attacker can gain control of your authenticated session by stealing, guessing or forging the session ID and thus impersonating your virtual identity.
After you log in to an application, the web server generates a unique session ID for your session, in the form of authentication tokens, URL parameters, or cookies. At times, if the proper parameters are not defined for session management during the development process, attackers discover vulnerabilities and hijack your session.
More often than not, a Broken Authentication vulnerability is discovered either during a testing/audit process or after an attack has already occurred. This is why it is always recommended for developers and security engineers to carry out periodic security audits and manual security testing of the web applications. Disciplined security checks are always better than dealing with the aftermath of an attack. Prevention is always better than cure. The first step would be to run tests to check if your web application has any vulnerabilities. If it does, define processes that can be implemented to mitigate those.
| Application Vulnerability | Preventive Action |
| Automated attacks like credential stuffing can be executed, with valid usernames and passwords available with the attacker. | Implement multi-factor authentication (MFA/2FA) for your users. |
| Brute force attacks on logins. | Set threshold for maximum failed login attempts consecutively. |
| Weak passwords can be predicted easily. | Do not deploy your applications with any default credentials. Instead, implement a policy to change the password after the first login and disable the reuse of any previous passwords. |
| Allowing a simple and poor password to be set. | Enforce strong password complexity for users, especially admin users. The rotation and complexity policies must be in accordance with the ‘NIST 800-63 B’s guidelines in section 5.1.1 for Memorized Secrets’. |
| Weak credential recovery process like common personal information questions; What was the name of your first pet, Your maiden name, and such. | The registration, recovery of credentials, and API endpoints should be secured and hardened to prevent account enumeration attacks. |
| Use of unencrypted/plain-text/weakly hashed passwords. | Failed login attempts should always be recorded in logs and notified to admin users. Modern encryption algorithms must be utilized. |
| Session IDs are not properly invalidated. Authentication/SSO tokens are not invalidated despite session logouts and inactive sessions. | In session management, random and unique session IDs should be generated with high-grade entropy. Session IDs should never be a part of the URL and must always be invalidated after each session logout, absolute timeout, and idle sessions. This goes without saying that the ID should also be complex and not easily predictable. |
Apart from these, you can also implement additional security checks to harden the web application.
Just like developers, QA testers and security engineers should follow the relevant security checklists to improve the safety of a web application.
Broken Authentication has been in the Top 10 list of OWASP for a long time because, despite growing security concerns in the industry, its significance and attack ramifications are often overlooked. Apart from developers, DevOps, and security engineers, end-users should also be instructed, trained, and made aware of authentication negligence associated risks. It is also the responsibility of engineering leaders to ensure proper cybersecurity and DevSecOps approaches are implemented. Automated tools and applications can be used to manage such attack vectors.
Argon has managed to single out attack interfaces using Broken Authentication, ensuring its customers can evade exploits for business continuity and uninterrupted productivity. Argon is a DevSecOps solution that can protect the entire SDLC from cyberattacks. From open-source code libraries and repositories to cloud resources, all such attack targets are protected by Argon. Try Argon to manage cyber vulnerabilities while ensuring a fast-paced software development process remains unhampered.
DevOps has evolved into a standard practice of software development. According to…
Logging in to websites to access your accounts isn’t as secure as…
Today’s businesses and enterprises are heavily dependent on software and applications for…
