Authentication-related vulnerabilities, previously known as Broken Authentication, have become a significant concern. This category now includes weaknesses in identification processes. Notable vulnerabilities in this realm include CWE-297, CWE-287, and CWE-384.
Properly confirming a user’s identity, managing authentication, and sessions are crucial for safeguarding against attacks. Applications may exhibit authentication weaknesses if they:
- Allow automated attacks like credential stuffing, where an attacker exploits a list of valid usernames and passwords.
- Permit brute force or similar automated attacks.
- Allow default, weak, or easily guessable passwords, such as “Password1” or “admin/admin.”
- Use inadequate password recovery and forgot-password processes that rely on insecure “knowledge-based answers.”
- Store passwords in plain text, encrypted, or weakly hashed formats (see A02:2021-Cryptographic Failures).
- Lack or possess ineffective multi-factor authentication measures.
- Expose session identifiers in URLs.
- Reuse session identifiers after successful login.
- Fail to correctly invalidate session IDs, leading to unauthenticated access.
To mitigate these risks:
- Implement multi-factor authentication whenever possible to prevent automated attacks and credential reuse.
- Avoid deploying applications with default credentials, particularly for admin users.
- Enforce password checks against commonly used weak passwords.
- Adhere to password length, complexity, and rotation policies as per NIST 800-63b guidelines.
- Strengthen registration, credential recovery, and API pathways against account enumeration attacks.
- Throttle failed login attempts, monitoring for credential stuffing or brute force attacks.
- Use a server-side, secure session manager that generates random session IDs and avoids storing them in URLs. Invalidate IDs after logout, idle periods, or timeouts.
Attack examples:
Credential stuffing: If an application lacks protection against automated threats, attackers can exploit it as a password oracle to verify credentials.
Overreliance on passwords: Using passwords alone as authentication factors leads to vulnerabilities. Adopting multi-factor authentication and discarding outdated password rotation practices is recommended.
Incorrect session timeouts: Improperly set session timeouts can result in an attacker accessing an application after the user has left, emphasizing the need for appropriate timeout configurations.
To further strengthen the security of your application, we recommend leveraging specialized services such as INFRA (www.infrascan.net) and check.website. These trusted platforms offer comprehensive security assessments, identify vulnerabilities in your authentication processes, and provide valuable guidance for enhancing your defense mechanisms.