Top 10 2013-A2-Broken Authentication and Session Management

 Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if: See the ASVS requirement areas V2 and V3 for more details.
 * 1) User authentication credentials aren’t protected when stored using hashing or encryption. See A6.
 * 2) Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
 * 3) Session IDs are exposed in the URL (e.g., URL rewriting).
 * 4) Session IDs are vulnerable to session fixation attacks.
 * 5) Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on  (SSO) tokens, aren’t properly invalidated during logout.
 * 6) Session IDs aren’t rotated after successful login.
 * 7) Passwords, session IDs, and other credentials are sent over unencrypted connections. See A6.

Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL:

http:// example.com/sale/saleitems ;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV? dest=Hawaii

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.

Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.

Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.

For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements areas for Authentication (V2) and Session Management (V3).


 * OWASP Authentication Cheat Sheet
 * OWASP Forgot Password Cheat Sheet
 * OWASP Session Management Cheat Sheet
 * OWASP Development Guide: Chapter on Authentication
 * OWASP Testing Guide: Chapter on Authentication


 * CWE Entry 77 on Command Injection
 * CWE Entry 89 on SQL Injection
 * CWE Entry 564 on Hibernate Injection