Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Broken Authentication and Session Management #34

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Security: Broken Authentication and Session Management #34

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8923c73
Broken Authentication and Session Management
Nov 16, 2016
7074e8b
small fixes
Nov 16, 2016
6269a45
fix markdown
Nov 16, 2016
467dbe7
small fixes
Nov 16, 2016
4429b5f
markdown fixes
Nov 16, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions Week06/3. Security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,35 @@ There are a few things which can be done to prevent this:
* Only allow requests from a known list of domains when configuring CORS (which may not be enough!)
* Add a special CSRF Token to GET requests, which would then be checked when POST/PUT/etc. requests are issued.



## Broken Authentication and Session Management
Broken Authentication and Session Management is when application functions that are related to authentication and session management are not implemented like it should be implemented.
That can allow attackers to get hold of passwords, keys, session tokens or find other implementation flaws that could guide the attacker to other users identities.

* Exploitability: Average
* Prevalence: Widespread
* Detectability: EAverage
* Impact: Servere

[According to OWASP top 10 2013](https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management)

### What can you do to prevent this?
To prevent this the developer should follow the authentication and session management requirements defined in OWAS´s
[Application Security Verification Standard](https://www.owasp.org/index.php/ASVS)
(Chapter V2: AUTHENTICATION VERIFICATION REQUIREMENTS and Chapter V3: SESSION MANAGEMENT VERIFICATION REQUIREMENTS)

You should also try to avoid Cross Side Scripting flaw as they can be used to steal session IDs.

### Examples:
Airlines application support URL rewriting(implementing URL mapping or routing within a web application), putting session ID in the

URL: http://someairlinecompany.com/blackfridaysale/saleitems?sessionid=113171894&dest=LosAngeles

The user that is authenticated emails his friend the link above to tell him about this amazing deal. What he doesn’t know is that he is also giving away his session ID. When his friend opens the link he will use his session and credit card information.

Another scenario is if this user is on a public computer. The user closes the browser tab and someone else goes to the computer. If the application’s timeout is not set properly an attacker that uses the same browser and goes to the same website is still authenticated.

[Information from OWASP Top 10](https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management)