O'Reilly logo

Securing Node Applications by Chetan Karande

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 2. Broken Authentication and Session Management

As the name indicates, broken authentication and session management risks target flaws in user authentication and session management implementation. An attacker can exploit these flaws mainly to impersonate other users and perform malicious or unintended operations on their behalf.

As per the Open Web Application Security Project (OWASP), this is the second most highly ranked web security risk and is widespread. It encompasses a broad category of attack mechanics, all related to compromising a user’s identity.

The typical attack scenarios include exploiting weak account passwords, passwords stolen from database breaches, active session IDs stolen from a victim user’s browser or network communication, or bugs in password management features such as changing or recovering a forgotten password.

Let’s dive deeper into specific attack mechanics and mitigations.

Securing the Authentication Mechanism

Even though two-factor authentication is safer and experiencing increasing adoption, requiring a valid user ID and password combination to log in is still the most commonly used authentication mechanism.

As per a study of 2,260 confirmed breaches in 2015, 63 percent involved weak, default, or stolen passwords. Thus, safety of user accounts hinges on protecting these credentials, mainly passwords, from attackers.

Let’s go through attacks targeting the authentication mechanism and look at some mitigations.

Password Cracking

Password ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required