An applications using weak authentications or consisting of vulnerabilities in authentication functions may result within the compromise of passwords.
What is Broken Authentication?
An applications using weak authentications or consisting of vulnerabilities in authentication functions may result within the compromise of passwords, session tokens or keys.
The attacker can use different brute force techniques to authenticate themselves as legitimate users and compromise and exploit that also as other systems within the network.
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods that are employed by an internet application.
• Allow automated attacks like credential stuffing, where the attacker features a list of valid usernames and passwords.
• Permits brute force or other automated attacks.
• Permits default, weak, or well-known passwords, like "Password" or "admin/admin “or "root/toor“.
• Uses weak or ineffective credential recovery and forgot-password processes, like "knowledge-based answers", which can't be made safe.
• Uses plain/clear text, encrypted text, or weakly hashed passwords.
• Has missing or ineffective multi-factor authentication.
• Exposes Session IDs within the URL.
• Does not rotate Session IDs after successful login.
• Does not properly invalidate Session IDs.
The goal of an attack is to require over one or more accounts and for the attacker to urge an equivalent privileges because the attacked user.
References
• https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
Nov 11,2020
Nov 15,2020
Nov 05,2020
Copyright @SecurWires. Designed & Developer By MindScript