According to OWASP, Broken Authentication and Session Management is when ‘Application functions related to authentication and session management are not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.’ In other words, an attacker can get unauthorized access of the user due to the flaw in the implementation. Before exploiting this vulnerability you need to know few concepts
- What is a Session and why do we need a Session
- What is a Cookie
- What is an Authentication
As you know applications work on HTTP protocol which is a stateless protocol, it cannot retain the user activity. In other words, a server cannot retain a memory of the identity/activity of each client (user) that connects to a Web site. For example, when you log in to Facebook and change your profile picture, you need to enter your credentials for all the requests being sent to the server since the server doesn’t know who you are. So the question is, how does a server track a user's activity? A user cannot enter his/her credentials for the requests. Here comes the Session... dun dun duuuhhhh!
What is a Session
A session is a server side storage of user information to persist the activity with the web site. Usually, all the servers generate a session for that connection with a unique session token which is known as the Session ID. Take note, Session values should be stored server side and not client side. For example, whenever you log in to a website, the server will store your information in your system as a cookie. These cookies will help with authenticity. Since the server generated a session ID for a user, the client doesn’t need to provide this information on every subsequent request. The client (browser) usually stores and sends the token as a cookie to the server. When the user clicks on the Logout link, the cookie containing the session ID would be deleted and the server would terminate the user’s activity.
What is a Cookie
What is an Authentication
Authentication is a security process that ensures and confirms a user’s identity, typically Username/Password verification done by server. Typically the process of authentication would be
- User enters his login credentials
- Server verifies the credentials of the user and creates a session which is then stored in a database
- A cookie with the session ID is placed in the users browser
- On every subsequent request, the session ID is verified against the value from database to process request. If the ID on client varies from ID in database then request will not be processed
- Once a user logs out of the app, the session is destroyed on both client and server
Now lets exploit this vulnerability in practical. Just fire up your bWAPP server (test server) and select ‘Broken Auth. – Insecure Login Forms‘. This bug could be silly but to create cognizance, one must sift through the page source to find sensitive information. So, when you view the page source (right click on page and select view page source), you should see the user credentials stored in the HTML. This allows hackers to gain authentication with ease, anyway this won’t be the case in real time, you may see this rarely. In general we sift through the HTML comments and hidden fields, I would say that’s a good practice.
Now we will see another code level flaw, select ‘Session Mgmt. – Administrative Portals’and set security level to ‘low‘. If you notice the URL ‘/bWAPP/smgmt_admin_portal.php?admin=0’, there’s a string appended after the ‘?’ with a value ‘0’, which means the session ID was passed in the query string where anyone could see and manipulate the values. Let’s change the value from ‘0’ to ‘1’.
So one can simply brute force the URL with different IDs. Also look at the bug ‘Session Mgmt. – Session ID in URL’Now, set the security level to ‘medium‘ in Administrative Portals page and refresh the page (CTRL+R). If you notice the URL, there’s no query string with ‘admin’. So, was that bug fixed? No0o0o, as a security analyst you should always look for numerous ways to find the flaw, in simple words just think like a developer, how did he fix that. Why don’t you check the cookies (press F12) and try modifying them. Fire up Owasp ZAP/Burp suite/ Fiddler to capture the request and compose new request by modifying ‘admin’ cookie. Here I am using Fiddler. Capture the request and replay it using Composer. Change the value ‘0’ to ‘1’
The other most common vulnerability is incorrect logout management. Select the bug ‘Broken Auth. – Logout Management’ and click on ‘here’ link displayed in the page
Once you click on ‘Yes’ you will be redirected to Login page. But session is still alive. Just click on Browser back button, you will be redirected to /bWAPP/ba_logout.php page. Hence an attacker can easily perform session fixation attack. We will learn about Session Fixation in other post in great detail. So we’ve learnt that Broken Authentication and Session Management involves all kinds of flaws that are caused by error in implementations of authentication and/or session management.
How to find this vulnerability
Secure Code reviews and penetration testing can be used to diagnose authentication and session management problems. We must carefully review each aspect of the authentication mechanism to ensure that user’s credentials are protected at all times during the transit. Though we haven’t covered Forgot/Change password features, one must double check those mechanism implementations.