Top Bug #2: Broken Authentication and Session Management

One of the most important things we need to understand when we want to find vulnerabilities, is that we need a high doses of analysis before we even start looking for bugs.OWASP ZAP help us during the analysis process by providing us the request and responses on every call.

Broken Authentication occurs in multiple forms. It is especially dependable on how the programmer implemented the authentication. We need to consider all kind of possible weaknesses introduced in the system.

There are different attack scenarios such as:

  • URL re-writting
  • Application time out
  • Predictable Session ID
  • Weak hashing or encryption

See OWASP Top 10 Broken Authentication and Session Management

Where is it Broken?

Our next exercise requires us to analyze these possible scenarios. Open Security Ninja Vulnerable app, and go to the second exercise A2.

The challenge consists into login in as User2 even when we do not have the credentials of this user. As mentioned previously, there are different attack scenarios and we need to find out which one applies in this case

Exercise:

  • Open OWASP ZAP ,
  • Configure your browser to use the proxy and start Security Ninja
  • Login as User1 and analyse all the request and responses for each step.

The First page is http://192.168.59.103:8899/a2.html The Second Page where it processes the information follows to: http://192.168.59.103:8899/a2.php And the last one is a hyperlink showing the details:http://192.168.59.103:8899/user_details.php

You should pay particular attention to the request information and the response once the user goes to the a2.php page.

Sessions ID's

The issue with improper session management has to do specifically with sessions ids. It is the way a session ID is created. There are certain rules developers must follow to avoid this kind of mistakes. One of the recommendations is to use an unpredictable session id. The OWASP Cheat Sheets has a clear description of some importamt proterties session id's should have in order to be properly created

Thinking out of the box when black boxing

We did not develop this application and we are clueless regarding the implemented code.If we look at the session id we find a long number. Some of the questions a bug hunter should ask himself is:

  • Does this number look predictable?
  • Does it has a weak encryption or hashing?
  • Does it has proper time out session?

If we look into predictability it does not seem like the id is created following a sequence, like integer numbers. However the hashing or encryption could be weak.