As the name indicates, broken authentication and session management risks target flaws in user authentication and session management implementation. An attacker can exploit these flaws mainly to impersonate other users and perform malicious or unintended operations on their behalf.
As per the Open Web Application Security Project (OWASP), this is the second most highly ranked web security risk and is widespread. It encompasses a broad category of attack mechanics, all related to compromising a user’s identity.
The typical attack scenarios include exploiting weak account passwords, passwords stolen from database breaches, active session IDs stolen from a victim user’s browser or network communication, or bugs in password management features such as changing or recovering a forgotten password.
Let’s dive deeper into specific attack mechanics and mitigations.
Even though two-factor authentication is safer and experiencing increasing adoption, requiring a valid user ID and password combination to log in is still the most commonly used authentication mechanism.
As per a study of 2,260 confirmed breaches in 2015, 63 percent involved weak, default, or stolen passwords. Thus, safety of user accounts hinges on protecting these credentials, mainly passwords, from attackers.
Let’s go through attacks targeting the authentication mechanism and look at some mitigations.