Overview
Exploits Vulnerability in Authentication or Session Management
Passwords
Timeouts
Remember Me
Secret Question
According to the OWASP top 10 Web vulnerabilities, Broken Authentication and Session Management is number 3:
https://www.owasp.org/index.php/Top_10_2010-A3
Identify Vulnerabilities
Are credentials always protected when stored using hashing or encryption?
Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?
Are session IDs exposed in the URL (e.g., URL rewriting)?
Are session IDs vulnerable to session fixation attacks?
Do session IDs timeout and can users log out?
Are session IDs rotated after successful login?
Are passwords, session IDs, and other credentials sent only over TLS connections?
The seven tips noted above are provided by OWASP. These are questions that should be asked of a Web server provider when assessing whether they are vulnerable to broken authentication and/or session hijacking.
Password Policies
Strength
A strong password policy is important. The longer the password the stronger it is. The use of characters and spaces will dramatically increases the strength of a password.
Timeout
Incorporating a session timeout, where the user must re-enter his password is important to increasing network security, especially on the Web.
Changes
Users should be forced to frequently change their password. This policy should include not using personal information, like a birthday, and the password should not be a previously used password.
Single-Sign-On
Single-Sign-On is popular with employees but increases your security risks. Determining a single-sign-on password can give a hacker the “keys to the kingdom”.
Application Security
Pretty Good Privacy (PGP)
Established by Phil Zimmermann in 1991, PGP is a is an encryption standard used primarily for e-mail. PGP utilizes public key cryptography for encrypting e-mail. Public key encryption infers that there are two keys: (a) public key and (b) private key. One key is used to encrypt a message to ciphertext while the other key decrypts the message to plaintext. PGP works well with a number of e-mail applications including Microsoft Outlook.
Transport Layer Security (TLS)
TLS, and its predecessor Secure Sockets Layer (SSL), is an encryption algorithm for secure Web server communications. This security protocol is used to prevent man-in-the-middle (MITM) attacks. A Website using TLS or SSL for client-server communications can be easily identified because of its use of “https” in the URL. This extra layer of security is used by online banks and other Websites that maintain sensitive information. One might ask why doesn’t everyone use this extra layer of security? The reason is that there is a performance cost; Websites using TLS or SSL take longer to download and some feel that this could be detrimental to their business.
Public Key Infrastructure (PKI)
As previously noted, public key encryption uses two keys for encryption and decryption. PKI uses a certificate authority. These digital certificates authenticate parties on the Internet.
Authentication:
Cookies
Many people mistakenly think that a “cookie” is malware. A cookie nothing more that a text file. There are two types of cookies: (1) Session and (2) Persistent. A session cookie is a temporary text file that is deleted once you exit your Web browser. For example, when you visit your online banking, you must have your “cookies enabled” so that the bank can issue you a temporary cookie once your identity has been identified. Each time you send a request (click a link or button on the Website), the bank (Web server) checks to see that you have the session cookie. The purpose of this is to prevent a man-in-the-middle attack where a hacker hijacks your session. The hacker will not have your cookie and therefore cannot impersonate you (in theory).
A persistent cookie exists after your Web browser is closed. Sometimes they are used to save your settings, which can include a saved login and password. Other persistent cookies are used to track your Web browser activity, which can then be sold to third parties for marketing purposes. These cookies will have a expiration data associated with them.
There are a number of programs, like CookieSpy, that enable you to view the contents of cookies.
Ad-Aware is a anti-spyware tool for removing persistent cookies used as spyware.
Cookie poisoning occurs when a hacker modifies the text in a cookie.
A hacker can also steal a cookie and use it for their own purposes. Cookies should therefore be encrypted using TLS or SSL.
Digital Certificates
A digital certificate is issued by a certificate authority (CA). It is used to identify an entity as being a trusted party. VeriSign is the largest issuer of digital certificates. An individual can actually visit a certificate authority, bring government-issued picture identification, and purchase a digital certificate. The certificate can then be used for trusted Internet communications.
A digital certificate is used as part of PKI in authenticating an individual or entity. PKI is a fast and efficient cryptographic protocol that was developed for use on the Internet. A legitimate client gains access to a Web server with a public key certificate but a hacker who does not possess a certificate will not be authenticated by a Web service.
Web browsers use digital certificates to verify that a Website being visited is legitimate.
Session Takeover
There are two types of session takeover attacks. The first is a targeted attack where a hacker impersonates a particular individual to hijack their Web session. The second type of attack is called a generic attack and this is when a hacker will attempt to impersonate any legitimate user to takeover their session.
It is important to use encryption both during the authentication and session phases of client-server communications.
Additional Source: Dr. Darren Hayes
