15.3 Broken Authentication and Session Management Flashcards
What is validation bypass?
Validation bypass is one form of **broken access control**, which OWASP lists as the fifth most commonly used attack vector.
What can attackers do by using validation bypass?
Attackers can use validation bypass breaches to assume the identity of users or administrators with escalated privileges, allowing them to create, access, update, or delete data.
Security code analysis tools and vulnerability scanning tools can detect an absence of access control. However, they lack the ability to ____________.
Security code analysis tools and vulnerability scanning tools can detect an absence of access control. However, they lack the ability to verify the functionality of existing security controls.
What causes weak control mechanisms?
Weak access control mechanisms result from a lack of automated detection and a lack of proper testing by application developers.
What are mitigation strategies for validation bypass? (4)
- Implicitly deny all (except public resources).
- Reuse access control mechanisms after implementation.
- Disable web server directory listings and ensure backup files are not present in web roots.
- Ensure logging of all access control failures and immediate generation of alerts.
What is the second most common attack vector on the OWASP top 10? What is it?
**Broken Authentication**
Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online
What inadequacies can lead to vulnerable web applications and infrastructure? (8)
- Allowing use of well-known passwords, or weak or default passwords.
- Inefficient password recovery mechanisms.
- Unencrypted passwords or weak hashes.
- Absence of multifactor authentication.
- Exposure of session ID in the URL.
- Non-rotation of session IDs after each use.
- Improper session invalidation or timeouts.
- Inadequate security built into web application software
What is one specific broken authentication attack?
**watering hole attack**
Attackers observe or guess the websites that users from a targeted organization visit most often. They will then try to infect that site with malware in order to infect as many users as possible, leading to a network breach.
What are the best strategies for preventing and mitigating broken authentication and session management flaws?(2)
- The best strategies for preventing and mitigating broken authentication and session management flaws will depend on the particular scope of the application.
- Supplementary mitigation tools include credential management systems like LastPass and OneLogin provide features for using and storing credentials in a secure and controllable way.
What are the 4 factors of multifactor authentication?
- Standard login inputs (password, PIN, cognitive questions)
- Physical keys (smartcard, hard token)
- Biometrics (iris/retina scan, hand geometry)
- Location (GPS detection, callback to a home phone number)
__________ restricts what users can see and do based on their privileges.
**Constrained user interface**
- This can result in grayed-out or missing menu items or other interface changes.
- Context-dependent controls regulate activity-based functions, such as limiting your ability to perform certain tasks, like editing a document.
- Content-dependent controls regulate the content of an object, such as grayed-out menu items.
What is Polyinstantiation?
“scrambles” the storage of information at different classification levels, preventing hackers from understanding the information without the missing pieces.
How should APIs be used?
They should always be stored in secure locations and transmitted only over encrypted communications channels.
Alternative mitigation strategies for broken authentication and session management include: (4)
- Random generation of session IDs makes it difficult for an attacker to brute force or guess valid session IDs.
- Enforce session timeouts or session ID expirations based on a predetermined amount of time.
- Use robust password recovery mechanisms.
- Enforce complex passwords.
Exposure of session ID in the URL is called what web vulnerability and how would you mitigate?
Broken Session Management
Prevent the exposure of session information in the URL and enforce session invalidation or timeouts.
