Broken authentication is a misconfiguration in web applications caused by poorly built authentication and session functions to grant login/session permission of the real user to an attacker through a hijacked of session identities or stolen login information.
Broken authentication attacks take over an account by giving the attacker the same privileges as the attacked user. Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities. Broken authentication is not all about stealing login credentials. It is also about session management - the time a user spends on a website from login to log out. Through cookies, the web application grants every user session IDs, and just like stolen login credentials session IDs can also be used to impersonate web application users.
Broken authentication happens through:
- URL rewriting a vulnerability caused by exposure of a person’s session ID in the URL of a website. Anyone who sees it can copy it and use it to tiptoe back into the session. Credential Stuffing which is aided by the use of botnets for brute-force attacks is used to test credentials stolen from different accounts and the different sites or through databases filled with unencrypted emails and poorly secured passwords.
- Phishing and spear-phishing attacks, lead to cases where targeted individuals are tricked by emails that seemed to be coming from legitimate sources to trick or manipulate their emotions into giving out their information or carrying out an action to could bare their information to attackers.
- Session Fixation. Because web session IDs remain constant in some web applications, Threat actors can determine beforehand the session ID of their targets and use it to impersonate their target hence the hijacked session ID tallies with the authenticated ID of the legitimate user.
Broken Authentication can be managed through
- Change of session IDs
- Multifactor authentication
- Strong password enforcement
- Password hashing
- Breached Password Protection
- Brute-Force Protection
- Implementation of a one-time session ID
- Avoidance of URL rewriting