Product
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.

Integrations

Connecting your security stack & resolution processes seamlessly.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.

Resources
Blog

Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

Docs

Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.

Research

Download whitepapers & research on hot topics in the security field.

Company
About us

Who we are, where we came from, and our Bright vision for the future.

News

Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
Broken Authentication: Impact, Examples, and How to Fix It

Broken Authentication: Impact, Examples, and How to Fix It

Nedim Marić

What is Broken Authentication and Session Management? 

Broken authentication is a term used to describe security vulnerabilities in a web application’s authentication process or session management, which can potentially allow unauthorized users to compromise the system. This typically happens when an application’s functions related to authentication of users, session management, and password management are implemented incorrectly, leaving it susceptible to cyberattacks.

The term ‘session management’ refers to the process of maintaining a user’s state and data across multiple requests. When a user logs into an application, their credentials are authenticated, and a session is established. This session persists as the user interacts with the application, allowing them to stay logged in. If the session management is mishandled, it can lead to broken authentication.

Broken authentication vulnerabilities can arise from numerous scenarios. For instance, when session IDs are exposed in the URL, session timeout is not properly set, passwords are not adequately hashed and salted, or when an application permits automated attacks such as credential stuffing or brute force.

According to the Open Web Application Security Project (OWASP), broken authentication is one of the most severe threats to web applications and APIs. Broken Authentication is the #2 most severe API vulnerability listed in the OWASP API Top 10, and in the OWASP Top 10 for web applications, Broken Access Control is the #1 security vulnerability.

This is part of a series of articles about unauthorized access

What is the Impact of Broken Authentication Attacks?

The impact of broken authentication attacks can be devastating for both an organization and its customers. When attackers exploit these vulnerabilities, they gain unauthorized access to user accounts, personal data, sensitive business information, and more. This not only leads to a breach of privacy and potential financial losses but can also severely tarnish the reputation of the impacted organization.

For an end-user, a broken authentication attack could mean unauthorized access to their account, leading to the theft of sensitive personal data such as credit card information, social security numbers, and more. This could further result in identity theft, unauthorized transactions, and other forms of personal harm.

For businesses, the consequences can be even more severe. A successful attack could potentially give cybercriminals access to privileged accounts, allowing them to manipulate data, perform malicious actions, or even take control of the entire system. This could lead to substantial financial losses, damage to the organization’s reputation, loss of customer trust, and potential legal implications.

Examples of Broken Authentication Vulnerabilities 

Use of Passwords as the Only Authentication Factor

Relying solely on passwords for user authentication is a significant vulnerability in web application security. Passwords, while being a traditional and widely used method for securing accounts, are often weak due to poor user practices such as using easy-to-guess passwords or reusing the same password across multiple sites. This vulnerability becomes more critical when additional layers of security, like multi-factor authentication (MFA), are not in place.

Attackers exploit weak or reused passwords through various methods like phishing attacks, credential stuffing, or brute force attacks. Phishing attacks trick users into revealing their passwords, while credential stuffing uses previously leaked credentials to gain unauthorized access. Brute force attacks involve systematically checking all possible passwords until the correct one is found. When passwords are the only line of defense, any of these methods can lead to broken authentication, granting attackers access to user accounts and sensitive data.

Application Session Timeouts Aren’t Set Properly

Another common source of broken authentication vulnerabilities is improperly set application session timeouts. When a user logs into a web application, a session is established. This session should expire after a period of inactivity to prevent unauthorized access in case the user leaves their device unattended. If the session timeout is not properly set, it could allow an attacker to hijack the session and gain access to the user’s account.

Inadequate session timeouts can also lead to session fixation attacks, where an attacker induces a user to use a specific session ID, and then uses that same session ID to gain unauthorized access to the user’s account.

Passwords Not Properly Hashed and Salted

Proper handling of user passwords is a crucial aspect of web application security. When passwords are not properly hashed and salted, it can lead to broken authentication. Hashing is a process that transforms a password into a unique, fixed-size string of characters, which is then stored in the system. Salting involves adding an additional, random string of characters to the password before it’s hashed.

If an attacker manages to breach the system and gain access to the password data, and if the passwords are not properly hashed and salted, they could potentially crack the passwords using various methods such as brute force attacks, dictionary attacks, or rainbow table attacks. Once the attacker has the user’s password, they can easily gain unauthorized access to their account, leading to broken authentication.

How to Fix Broken Authentication in Your Applications 

Control Session Length

One of the easiest ways to mitigate the risks associated with broken authentication is by controlling session length. When a user logs into a system, a session is created to keep track of their interactions with the system. The session length is the duration in which the session remains active.

Keep session lengths as short as possible without affecting the user experience. This practice reduces the window of opportunity for an attacker to exploit the session.Moreover, idle session timeouts should be implemented. This feature automatically logs out users after a certain period of inactivity, further reducing the risk of session hijacking.

Rotate and Invalidate Session IDs

Another effective measure is to rotate and invalidate session IDs. Every user session is identified by a unique session ID. When a user logs in, the system generates a new session ID for that session.

Rotating session IDs means changing the session ID after a certain period or after certain critical operations. This practice makes it harder for an attacker to predict or guess the session ID.

In addition to rotating session IDs, it is also crucial to invalidate them when they are no longer needed. For example, when a user logs out, their session ID should be invalidated immediately. This prevents an attacker from using an old session ID to gain unauthorized access to the system.

Multi-factor Authentication

Multi-factor authentication (MFA) is another effective way to fix broken authentication in your organization. MFA is a method of authentication that requires users to provide two or more verification factors to gain access to a resource.

The factors used in MFA can be something the user knows (like a password), something the user has (like a physical token or a smartphone), or something the user is (like a fingerprint or other biometric trait).

By requiring multiple forms of verification, MFA significantly enhances the security of your system. Even if an attacker manages to steal a user’s password, they would still need the other factors to gain access.

Implement Brute-Force Protection

Brute-force attacks are a common method used by attackers to break authentication. In a brute-force attack, the attacker attempts to guess the user’s password by trying different combinations until they find the correct one.

To protect your system against brute-force attacks, you should implement brute-force protection measures. These measures include limiting the number of failed login attempts, introducing time delays after a certain number of failed attempts, and using CAPTCHAs to prevent automated attacks.

Moreover, you can also use blacklisting and whitelisting techniques. Blacklisting involves blocking IP addresses that are suspected of conducting brute-force attacks, while whitelisting involves allowing only certain trusted IP addresses to access your system.

Resources

DORA: Exploring The Path to Financial Institutions’ Resilience

DORA (Digital Operational Resilience Act) is the latest addition to the EU regulatory arsenal. A framework designed to bolster the cyber resilience of financial entities operating within the EU. But let’s face it: there’s no lack of regulations issued by the European Union legislature, and they’re not exactly known for keeping things light and easy.

IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

Get our newsletter