Broken authentication and session management checks --------------------------------------------------------------------------------
Session IDs exposed on URL can lead to session fixation attack. Basically developers add sessions ID with a values in URL.
Session IDs same before and after logout and login.
Session Timeouts are not implemented correctly.
Application is assigning same session ID for each new session.
Authenticated parts of the application are protected using SSL and passwords are stored in hashed or encrypted format.
The session can be reused by a low privileged user.
How to prevent Broken authentication and session management vulnerability --------------------------------------------------------------------------------------------------------------
Implement multi-factor authentication to prevent automated, credential stuffing, brute force and stolen credential re-use attack.
Don't deploy with any default credentials, particularly for admin users.
Implement weak password checks, testing on new or changed passwords against a list of top ten thousand worst passwords.
Align password length, complexity and rotation policies.
Ensure registration, credential recovery and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
Limit Delay failed login attempts. Log all failure and alert administrators when credential stuffing, brute force or other attacks must be detected.
Use a server side, secure, built-in session manager that generates new random session ID with high entropy after login.
full-width
Post a Comment
0
Comments
Wikipedia
Search results
Blog Disclaimer
The information provided on this blog is for educational and general informational purposes only. While efforts are made to ensure accuracy, no guarantee is given regarding completeness or reliability. The content should not be considered professional or legal advice. All views expressed are solely those of the author.
0 Comments