Monday, June 23, 2014

A2 Broken Authentication and Session Management

 This flaw allow attackers to compromise passwords, keys, or session tokens/IDs to assume other users' identities.

Possible attacks:
  1. Attack on user ID & Password if it is not encrypted in transit or at rest.
  2. If session IDs are exposed in URL, it can be stolen.
  3. Session hijacking & session fixation are possible.
  4. Session ID can be guessed if it is not unique & random.
  5. Session ID must be changed after authentication and should be handled properly.
Impact on Security:
  1. Attack on Confidentiality
  2. Attack on Integrity
  3. Attack on Availability
Detectibility   : Average
Exploitability : Average
Impact          : Severe
How to Prevent:
  1. Use strong encryption algorithm to encrypt data in transit or at rest.
  2. Do not give Session ID in URL.
  3. Change Session ID after login and frequently thereafter.
  4. Give unique & random session ID.
  5. Make strong efforts to avoid XSS flaws which can be used to steal session IDs. 
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)