Chapter 2. Broken Authentication and Session Management
As the name indicates, broken authentication and session management risks target flaws in user authentication and session management implementation. An attacker can exploit these flaws mainly to impersonate other users and perform malicious or unintended operations on their behalf.
The typical attack scenarios include exploiting weak account passwords, passwords stolen from database breaches, active session IDs stolen from a victim user’s browser or network communication, or bugs in password management features such as changing or recovering a forgotten password.
Let’s dive deeper into specific attack mechanics and mitigations.
Securing the Authentication Mechanism
Even though multifactor authentication is safer and experiencing increasing adoption, requiring a valid user ID and password combination to log in is still the most commonly used authentication mechanism.
As per a study of 2,260 confirmed breaches in 2015, 63 percent involved weak, default, or stolen passwords. Thus, safety of user accounts hinges on protecting these credentials, mainly passwords, from attackers.
Let’s go through attacks targeting the authentication mechanism and look at some mitigations.
Password Cracking
Password cracking is equivalent to a burglar picking the lock on the front door of a house to break in. Password cracking isn’t always as difficult as one would expect, given the various tools and techniques that are available to automate the ...
Get Securing Node Applications now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
