2. Broken authentication
Authentication and session management functions are implemented incorrectly.
What it is
Authentication is the process of ensuring it’s in fact, the user accessing their accounts and data (e.g., a username and password combination). Authentication grows more complex as a site, app, or device becomes bigger, broader, and more connected to other sites, apps, or devices.
How it works
Passwords can be easily guessed or stolen if left unprotected. Attackers seek vulnerabilities where user credentials or sessions lack adequate protections. User data session IDs, when exposed via URL, are available in router logs and prone to URL rewrite attacks. Credential stuffing can be performed by utilizing leaked password databases from other sites. See https://haveibeenpwned.com/ for a catalog of recent user account breaches.
Why it’s bad
If attackers can hijack user’s or administrator’s session, they have access to everything available within that account, from data to account control.
Countermeasures
Where possible, implement multi-factor authentication (MFA).
Do not ship or deploy with any default (admin) credentials.
Align password length, complexity, and rotation policies with modern password policies and algorithms.
Implement weak password checks, such as testing new or changed passwords against a list of the top 10,000 worst passwords.
Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks using the same messages for all outcomes.
Limit or increasingly delay subsequent failed login attempts. Use CAPTCHA.
Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
Web application session IDs or tokens should not be in the URL. They should be securely stored and invalidated after logout, idle, and absolute timeouts.
Broken authentication example
The hacker seeks out ways to modify user credentials to access the user's account.
Scenario 1
The account requires explicit or detailed password requirements, which explain the requirements that need to be met to circumvent the password.
Scenario 2
The account alerts the user of an invalid password entry, which inadvertently indicates that the user account is valid.
Scenario 3
An invalid email address alerts the person entering login credentials the password is correct.
Scenario 4
A simple, secure error message should not allude to which input fails to authenticate or why to maintain authentication security.