Load Balancers

OWASP Top Ten Series: Broken Authentication & Session Management


Broken Authentication and Session Management

Securely authenticating users, managing their sessions when connected, and ensuring proper logout when the sessions end are essential activities when delivering web applications. As are requests for account creation, password change requests, and password resets. Each of these activities can provide a target for malicious attackers trying to compromise a web application.

What is the vulnerability and what can be done to mitigate it?

Poorly configured site authentication or session management can allow attackers to compromise passwords, site keys, session tokens, or spoof legitimate user identities. The ways in which authentication and session management can be compromised are shown below with advice on how to mitigate the risk:

How to protect against Broken Authentication and Session Management vulnerabilities

The points above outline how to protect against the various vulnerabilities that can compromise authentication and Session ID management. It’s also good practice to do regular reviews to ensure that users who have left an organisation don’t have access to their accounts. Engaging the services of external penetration testers to try and breach a web applications security is a good idea. In addition, make sure that out of the box settings for server and network security software are reviewed. Out of the box settings and accounts often provide known targets for attack. This topic will be covered in future posts about other vulnerabilities in the OWASP Top 10.

As stated in other articles in this series it’s also vital that systems are kept up to date with the latest software versions. Security vulnerabilities and bugs are constantly being discovered and fixed. General network security infrastructure should be kept up to date as well. Firewalls, content checkers, anti-malware systems and Load Balancers should be running the latest software patches. Additional security tools should also be deployed and kept up to date. The KEMP Web Application Firewall Pack (AFP) for LoadMaster includes tools that continuously monitor traffic to application and web servers. It detects and counters known vulnerabilities, including those outlined in the OWASP top 10. The AFP pack is updated constantly by KEMP security experts so that vulnerabilities developers and system administrators may not have heard about are countered.


Exit mobile version