The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASP Khartoum6TH Meeting 4 Aug 2012

Top 10:A3Broken Authentication and Session

Management

Obay Osman AhmedOWASP Khartoum

2

ToC• Definition.

• Impact.

• Environments Affected.

• BA-SM in the wiled.

• Demo time.

• How to Protect Yourself.

• Warp Up.

• Q & A.

3

DefinitionAuthentication is the process of

verification that an individual or an entity is who it claims to be. (by submitting a user name or ID and one or more items of private information that only a given user should know).

Session Management is a process by which a server maintains the state of an entity interacting with it. (by a session identifier)

4

OWASP Risk Rating #

5

ImpactMay allow some or even all

accounts to be attacked.

Once successful, the attacker can do anything the victim could do.

#Privileged accounts are frequently targeted.

6

Environments Affected

All known web servers, application servers, and web application environments are susceptible to broken authentication and session management issues.

7

//BAD - DON'T USE public boolean login(String username, String

password) { boolean isAuthenticated = true; try { //make calls to backend to actually

perform login against datastore

if (! authenticationSuccess) { isAuthenticated = false; } } catch (Exception e)

{ //handle exc } return isAuthenticated; }

8

In the wield..-Timeouts.

-ID in URL.

-Credential Storage.

Methodologies: XSS, CSRF (Session riding attack), SQL injection, Session fixation….

It is Demo Time..

9

Let us break something…

10

How to Protect YourselfDon’t implement it by your self, OR

Define , Document, Enforce clear site’s policy, THEN

Check this critical areas:

“It is foolish to think that you’ll do better on your first try”.

11

Prevention Cont.Passwords (Strength, Use, Change

Controls, Recover and Storage).

Protecting Credentials in Transit.

Session ID Protection.

Account Lists.

Browser Caching.

Trust Relationships.

12

OWASP RecommendedMeet all requirements defined in

OWASP’s ASVS areas V2 (Authentication) and V3 (Session Management).

Have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.

Summary & Conclusion

The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

A1 –InjectionA2 –Cross-Site Scripting (XSS)A3 –Broken Authentication and Session ManagementA4 –Insecure Direct Object ReferenceA5 –Cross Site Request Forgery (CSRF)A6 –Security Misconfiguration(NEW)A7 –Insecure Cryptographic StorageA8 –Failure to Restrict URL AccessA9 –Insufficient Transport Layer ProtectionA10 –Unvalidated Redirects and Forwards (NEW)

OWASP Top 10 2010:

Ref.•ASVS requirements areas for Authentication (V2) and Session Management (V3)

•OWASP Authentication Cheat Sheet

•ESAPI Authenticator API

•ESAPI User API

•OWASP Development Guide: Chapter on authentication

•OWASP Testing Guide: Chapter on Authentication

Q & A

17