Some session tokens do not contain any meaningful data associating them with a particular user but are nevertheless guessable because they contain sequences or patterns that allow an attacker to extrapolate from a sample of tokens to find other valid tokens recently issued by the application. Even if the extrapolation involves an amount of trial … Read more
Session management mechanisms are often vulnerable to attack because tokens are generated in an unsafe manner that enables an attacker to identify the values of tokens that have been issued to other users. Meaningful Tokens Some session tokens are created using a transformation of the user’s user-name or email address, or other information associated with … Read more
The session management mechanism is a fundamental security component in the majority of web applications. It is what enables the application to uniquely identify a given user across a number of different requests, and to handle the data that it accumulates about the state of that user’s interaction with the application. Where an application implements … Read more
Implementing a secure authentication solution involves attempting to simultaneously meet several key security objectives, and in many cases trade off against other objectives such as functionality, usability, and total cost. In some cases “more” security can actually be counterproductive — for example, forcing users to set very long passwords and change them frequently will often … Read more
Some applications use elaborate login mechanisms involving multiple stages. For example: ■ Entry of a username and password. ■ A challenge for specific digits from a PIN or a memorable word. ■ The submission of a value displayed on a changing physical token. Multistage login mechanisms are designed to provide enhanced security over the simple … Read more
Even a well-designed authentication mechanism may be highly insecure due to mistakes made in its implementation. These mistakes may lead to information leakage, complete login bypassing, or a weakening of the overall security of the mechanism as designed. Implementation flaws tend to be more subtle and harder to detect than design defects such as poor … Read more
Some applications that support self-registration allow users to specify their own username, and do not enforce a requirement that usernames be unique. Although rare, the authors have encountered more than one application with this behavior. This represents a design flaw for two reasons: ■ One user who shares a username with another user may also … Read more
Some applications implement the facility for a privileged user of the application to impersonate other users, in order to access data and carry out actions within their user context. For example, some banking applications allow helpdesk operators to verbally authenticate a telephone user and then switch their application session into that user’s context in order … Read more
Applications often implement “remember me” functions as a convenience to users, to prevent them needing to reenter their username and password each time they use the application from a specific computer. These functions are often insecure by design and leave the user exposed to attack both locally and by users on other computers: ■ Some … Read more
Like password change functionality, mechanisms for recovering from a forgotten password situation often introduce problems that may have been avoided in the main login function, such as username enumeration. In addition to this range of defects, design weaknesses in forgotten password functions frequently make this the weakest link at which to attack the application’s overall … Read more