The Open Web Application Security Project (OWASP) is a not-for-profit group that helps organizations develop, purchase, and maintain software applications that can be trusted.
OWASP seeks to educate developers, designers, architects and business owners about the risks associated with the most common Web application security vulnerabilities. OWASP has become known as a forum in which information technology professionals can network and build expertise.
The organization publishes a popular Top Ten list that explains the most dangerous Web application security flaws and provides recommendations with effective methods of dealing with those flaws.
The latest report includes the following:
A2:2017- Broken Authentication
Authentication and session management is often implemented incorrectly in application. This allows attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaw to impersonate another users’ identity temporarily or permanently.
Session management is the foundation of authentication and access controls. Attackers can detect broken authentication using manually and exploit them using automated tools with password lists and dictionary attacks.
Usually attackers only need to gain access to a few accounts, or just one admin account to comprise the entire system. By doing so the application can be subjected to multiple outcomes such as impersonation, which may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.
Is the Application Vulnerable?
There may be authentication weaknesses if the application:
• Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. This may include brute force or other automated attacks.
• Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“.
• Uses weak or ineffective credential recovery and forgot password processes.
• Uses plain text, encrypted, or weakly hashed passwords.
• Has missing or ineffective multi-factor authentication.
• Does not properly invalidate Session IDs i.e. session IDs aren’t properly invalidated during logout or a period of inactivity. Or Exposes Session IDs in the URL (e.g., URL rewriting).
How to Prevent
• Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
• Do not ship or deploy any application with any default credentials, particularly for admin users.
• Implement weak-password checks, such as testing new or changed passwords against a list of the top 10000 worst passwords.
• Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
• Limit or increasingly delay failed login attempts.
• Use a server-side, secure, built-in session manager. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.
Example Attack Scenarios
Scenario #1:
Credential stuffing, is the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.
Scenario #2:
Application session timeouts aren’t set properly. A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated
No comments:
Post a Comment