O'Reilly logo

Securing Node Applications by Chetan Karande

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 2. Broken Authentication and Session Management

As the name indicates, broken authentication and session management risks target flaws in user authentication and session management implementation. An attacker can exploit these flaws mainly to impersonate other users and perform malicious or unintended operations on their behalf.

The typical attack scenarios include exploiting weak account passwords, passwords stolen from database breaches, active session IDs stolen from a victim user’s browser or network communication, or bugs in password management features such as changing or recovering a forgotten password.

Let’s dive deeper into specific attack mechanics and mitigations.

Securing the Authentication Mechanism

Even though multifactor authentication is safer and experiencing increasing adoption, requiring a valid user ID and password combination to log in is still the most commonly used authentication mechanism.

As per a study of 2,260 confirmed breaches in 2015, 63 percent involved weak, default, or stolen passwords. Thus, safety of user accounts hinges on protecting these credentials, mainly passwords, from attackers.

Let’s go through attacks targeting the authentication mechanism and look at some mitigations.

Password Cracking

Password cracking is equivalent to a burglar picking the lock on the front door of a house to break in. Password cracking isn’t always as difficult as one would expect, given the various tools and techniques that are available to automate the ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required