OWASP A02 - Broken Authentication and Session Management

Showing 14 articles

Showing 14 articles

#1

Cookie Security



Cookie security issues occur when all the measures available for protecting cookies are not fully implemented. Measures that can be used to protect cookies are listed in the Countermeasures section of...

#2

Hard-coded Credentials



Applications that use authentication need a method for storing credentials. Credentials might be stored for authenticating users to the application or for the application to authenticate to external s...

#3

Insufficient Authorization



Insufficient authorization vulnerabilities occur when the application allows a user to perform an action without checking if the user has sufficient privileges to carry it out. This allows attackers t...

#4

Parameter Tampering



A parameter tampering vulnerability occurs when an attacker can modify parameters used by a web application that have security implications. For example, a vulnerable application might allow an attack...

#5

Insufficient Authentication



Insufficient authentication vulnerabilities occur when the application allows users to perform sensitive operations or access sensitive information without properly checking their authentication crede...

#6

Cookieless Authentication



Most web applications use cookies to keep track of session state. Some applications use other mechanisms to keep track of authenticated sessions. These custom authentication schemes are usually vulner...

#7

Use of Hard-coded Password



Applications that use authentication need a method for storing passwords. One of the simplest ways to store passwords is to hard-code them into the application. This approach is not secure, because an...

#8

Data Leak Between Sessions



Data leaks between sessions occur when unintentional access to one session's data is provided to another session. Data leaks between sessions usually occur when session-specific data is stored in memb...

#9

Insufficient Password Recovery



Insufficient password recovery vulnerabilities occur when the application does not have an effective process to verify user identity when handling a "forgotten password" condition, and then either giv...

#10

Brute Force



Brute forcing is a broad term that refers to repeatedly performing a very simple, automated attack, which has a small chance of being successful for each iteration. The more iterations are performed,...

#11

Session Hijacking



Session hijacking (a.k.a. credential and session prediction) vulnerabilities occur when the application uses easy to predict session identifiers or other easy to predict methods to track user sessions...

#12

Session Fixation



Session fixation vulnerabilities occur when the application doesn't sufficiently protect session identifiers. This allows an attacker to hijack active user sessions. Most web application platforms p...

#13

Insufficient Session Expiration



Insufficient session expiration vulnerabilities occur when the application keeps user sessions active for an unreasonably long period of time. The correct amount of time to keep a user session active...

#14

Sensitive Cookie in HTTPS Session without Secure Attribute



When a Cookie has the Secure flag set, that cookie will not be sent over a non-encrypted connection. If the Secure attribute is not set on a sensitive cookie, the cookie will be sent in plaintext and...