Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • What is it?
  • Example Attack
  • How to Prevent
  • Testing

Was this helpful?

  1. Web Pentesting
  2. OWASP Top 10 2017

Top 2: Broken Authentication

Pulled from OWASP Top 10 2017

PreviousTop 1: InjectionNextTop 3: Sensitive Data Exposure

Last updated 4 years ago

Was this helpful?

What is it?

Confirmation of the user’s identity, authentication, and session management are critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:

  • Permits brute force or other automated attacks.

  • Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin“.

  • Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers”, which cannot be made safe.

  • Has missing or ineffective multi-factor authentication.

  • Exposes Session IDs in the URL (e.g., URL rewriting).

  • Does not rotate Session IDs after successful login.

  • Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.

Example Attack

Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication.

Scenario #3: Application session timeouts aren’t set properly. A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.

How to Prevent

  • Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

  • Do not ship or deploy with any default credentials, particularly for admin users.

  • Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.

  • Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.

  • Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL, be securely stored and invalidated after logout, idle, and absolute timeouts.

Testing

Test for default credentials

If the Web app portal is a known portal Google default credentials for the type of portal or try using admin/admin .

Test for username enumeration

Within a web app login page, send test credentials: test@test.com and test. If login page returns "Wrong Email" or "Wrong Password" this is a low level finding.

Within a Web App Forgot Password, does it allow you to verify real email/usernames?

Test for session fixation

Capture GET of homepage when you are not authenticated, authenticated, and recently logged out. Does it contain a token on un-authenticated vs authenticated vs recently authenticated?

Exploitation

Example Payloads

Cheat sheet

Other Resources

Permits automated attacks such as , where the attacker has a list of valid usernames and passwords.

Uses plain text, encrypted, or weakly hashed passwords (see ).

Scenario #1: , the use of , is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.

Implement weak-password checks, such as testing new or changed passwords against a list of the .

Align password length, complexity and rotation policies with or other modern, evidence based password policies.

credential stuffing
A3:2017-Sensitive Data Exposure
Credential stuffing
lists of known passwords
top 10000 worst passwords
NIST 800-63 B’s guidelines in section 5.1.1 for Memorized Secrets