View
219
Download
2
Category
Preview:
Citation preview
Broken Authentication &
Session Management
What is it ?
• Bad implementation of authentication and session management.
• If an attacker can get your session ID, then they can steal your session
• Could happen over unsafe medium.
• Could happen if an attacker can get your password.
Broken Authentication and Session Management - Vulnerabilities
• Password not hashed.
• Weak Password recovery method .
• Exposed Session-Ids’.
• Long session timeout.
• Improper rotation of session-ids’ after logout.
• Sending session-ids’ , passwords over unencrypted connections.
Session Fixation Attack
Broken Authentication and Session Management - Prevention
• Always use https for any authenticated URLs.
• If storing credentials in a database, store them encrypted or hashed.
• Set session timeouts to as low as possible to reduce the risk of exposure to someone who forgets to log out at a public terminal.
• Try to store SessionIds in cookies
• Invalidate session properly
Thank You
Recommended