Broken Authentication and Session Management

Let me tell a real life incident which happened to me in 2k14.

I was in a 3 months training session and we were given tests on every 4 days or so regarding the topic on which we were trained. Passing score was 80% and 10 questions. We found out that no matter if we pass or fail, the exam portal allowed us to go back to the test using the back button and change the answers. I changed the answers in every test and passed without fear. It was the last day and a test day as well, I was fearless and confident that I will pass the exam easily with the trick. I failed the test in the first attempt and when I clicked back button …. it did not work………

At that time it was just a trick but now I know how serious flaw this could be. What if you could log in to your bank account from a net cafe and after you log out and leave someone comes and gains access to your account using this trick. I believe that you got the notion and the severity of the issue as well.

EXAMPLE 1 – Broken Authentication – Logout Management

Screen 1 to logout of the session
logut confirmation
User is redirected to login page
magic button

EXAMPLE 2- Broken Authentication – Insecure Login Forms

login form
User tries to log in using SQL injection
Hard luck , refer error


Right click on the screen and select “View page source ”

Here we have the login and password

EXAMPLE 3 – Broken Authentication – Password Attacks

Login form
Intercept the request using burpsuite
Sending the request to intruder

Intruder tab will turn orange once the request is sent to intruder.

The highlighted portions are the attacking points.


Clear the attacking points. (right side option)


Add the positions again but only for username and password (shown below)


Choose the Attack type, here I have chosen Cluster bomb – this will try all permutations and combinations in username and password field from the payload list.

There are other attack types as well , but all differ in the combination of payload delivery


Choose the payload 1 – username and add the items. We can upload a list as well with the common usernames


Below is the list 1 and entries as well.


Similarly add for the password field as well.


Try any combination of username and password and you will most probably see the error.. copy that.


Use the  options tab to check for this error


Start attack… you will see the output similar to the one shown below. We can see the difference in the Length shown below. Moreover there is no tick in the box which checks for the error, so no error – Brute force login successful.


Example 4 – Session management – Administrative portals

Some pages are restricted by the use of variables which can be changed by the user and not validated by on serer side. No ACLs as well. Below is an example of similar kind.

Locked admin portal
Manipulated value
Unlocked page


  • Revealing error messages – They should be generic as much as possible
  • Never hard code username/password
  • Enforce password policy
    • Min characters
    • Max characters
    • Use of special characters
    • Use of upper case and lower case
    • Username and password should not match (fully/partially)
  • Session ID handling – Never disclose it in URL
  • Use of randomly generated tokens
  • Expiration policy
    • Time based (e.g. Force logout after 10 minutes of inactivity)
    • No of filed logon attempts to be limited
    • Lockout policy to be implemented
    • Combination of time based and lockout – iPhone
  • Cookie security – Http secure and http only flags to be set
  • Force log out on browser closure
  • Handling smultaneous session logons

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s