Day 11: OWASP Top 10 2021 – #7 Identification and Authentication Failures
If programs handle session management or user authentication incorrectly, hackers may be able to compromise passwords, security keys, or session tokens and temporarily or permanently assume the identities and permissions of other users. This issue poses a serious danger to other network-connected assets and seriously jeopardizes the security of the application and the resources it accesses.
Identification and Authentication Failures is the capacity to specifically identify a system user or an application using the system. The ability to verify that a person or program is who they say they are is referred to as authentication. The misuse of user credentials and data breaches are caused by the identification and authentication failure.
It now encompasses CWEs that are more directly related to identity problems and has displaced Broken Authentication as the second most prevalent CWE.
Impact of Identification and Authentication Failures
- Credential Stuffing: A database of login credentials that have been stolen or leaked is used in this attack to automatically try to log in and access a system or resource. Due to widespread reuse of the same credential combinations across numerous websites, this attack is successful.
- Brute Force Attacks: In a brute force attack, every conceivable combination of a password is automatically tried. Massive quantities of processing power are employed in this kind of assault to gradually guess the password. Dictionary terms, short passwords, and other characteristics that make them easy to crack are all good candidates for brute force attacks.
- Session Identifier Exposed in the URL: The communication between a particular user and the application is identified by the session ID (web server). Eg.
Remedy to Identification and Authentication Failures
The following are the primary OWASP best practice recommendations for lowering identification and authentication risks:
- Implement multi-factor authentication.
- Never deploy using the default login information, especially for admin users.
- Enforce the use of strong passwords.
- Watch out for failed login attempts.
- Make use of a secure session manager that generates arbitrary, temporary session IDs. Never include a session ID in a URL.
CWEs List for Identification and Authentication Failures
References To Get More Understanding of Identification and Authentication Failures
This will be all for the Day 11 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊