Risk A2 in OWASP - Authentication loss and session management.
In our post What is OWASP and why every developer should know it we saw an introduction to OWASP and why it is so important in web application development. Within the TOP TEN project, we will delve a little deeper into each of the ten most critical security risks in web applications. Today it is the turn of Risk A2 - Loss of authentication and session management.
Definition
This risk refers to the management of session and authentication information by the web application. All users, passwords and session identifiers must be properly protected.
Examples
- A login that can be brute-forced through a data dictionary.
- A login that can be bypassed through SQL injection.
- Session identifier theft through a sniffer.
Prevention
- Implement a multifactor authentication such as OTP (One time password).
- Do not use default passwords in applications (e.g.: admin, password, 123456, ...)
- Implement recommended password policies that comply with the NIST guide.
- Ensure secure credential management mechanisms such as password recovery.
- Limit the response time of failed authentication attempts. Record each failed attempt and alert administrators to a possible brute-force attack.