A2: Broken Authentication

App Specific

Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools.

Session management attacks are well understood, particularly in relation to unexpired session tokens.

Prevalence

The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications.

Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks.

Technical

Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.

Confirmation of the user's identity, authentication, and session management are critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:

Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin"
Uses weak or ineffective credential recovery and forgot password processes, such as "knowledge-based answers", which cannot be made safe.
Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).
Has missing or ineffective multi-factor authentication.
Exposes Session IDs in the URL (e.g., URL rewriting).
Does not rotate Session IDs after successful login
Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

How to detect this security problem?

Valency Networks technical team is highly capable of running app scans and also perform manual vulnerability assessment to find this security problem. We can also help you re-design the code component or provide inputs towards successful fixation.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO

Fortune 50 Manufaturing Company, Pune

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate

for 6+ yrs

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,

for 3+ yrs

A2: Broken Authentication

App Specific

Prevalence

Technical

Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.

Permits brute force or other automated attacks.

Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin"

Uses weak or ineffective credential recovery and forgot password processes, such as "knowledge-based answers", which cannot be made safe.

Uses plain text, encrypted, or weakly hashed passwords (see A3:2017-Sensitive Data Exposure).

Has missing or ineffective multi-factor authentication.

Exposes Session IDs in the URL (e.g., URL rewriting).

Does not rotate Session IDs after successful login

Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

How to detect this security problem?