Broken Authentication and Session Management Vulnerability: A Case Study Of

Web Application

Web applications have extensively taken over the roles of atomization and enhancement of prevailing solutions. It also provides
different services to the multiple users of the application. In the recent time, performance of the web services are measured
through two important properties such as authentication and session management. However, user authentication appears to be
crucial when a valid user of the web application inappropriately discontinues their communication while the session remains
active and an unauthorized user pick the same session to get access into the system. Broken Authentication and Session
Management vulnerability exploitation risk is becoming enormously higher due to attackers creative skills, system’s weak design
and improper implementation of web applications. The consequence of the above exploitation may result not only identity theft
but also removal/tamper confidential information.
I. INTRODUCTION

More than three billions of people around the world are using internet as well as web applications via a variety of
different devices because of the friendly usability and easy accessibility to anywhere at any time. Currently, web application
is the first step to automate the basic activities of the day to day life by upgrading the existing solutions. Due to the above
reason, most of the organizations or service providers e.g. industry, bank, government, educational, medical, and other
sectors like to provide their services to their service holders through web application. On the contrary, risks of exploitation
of these web applications are increasing every day through different cyber attackers. A survey reveals that more than 82.8%
of web service providers are using PHP platform to build their web applications for the easier code practicing .
There are some common types of vulnerability available in web application such as Structured Query Language Injection
(SQLi), Cross Site Scripting (XSS) , Cross Site Request Forgery (CSRF) , Local File Inclusion (LFI) , Remote File Inclusion
(RFI) , Local File Disclosure (LFD) , Broken Authentication, Session Management, etc. Broken Authentication and Session
Management vulnerabilities are often found due to improper implementation of user authentication and management of
active session which is one of the top two risks according to OWASP . Although different frameworks and functions
provide proper authentication and session management; however, customized authentication and Session Management are built
often by developers which may lead to exploit Broken Authentication and Session Management vulnerabilities. In 2015,
Bangladesh faced a cyber-war against Pakistan where the Pakistani hackers defaced more than 180 web sites of Bangladesh
for having issues of the Broken Authentication. Percentages of vulnerability exploitations by the Pakistani hackers were
63% of Broken Authentication vulnerability, SQL injection in 26% sites, and other exploitations conducted on 11% of the
web applicant .

II. BROKEN AUTHENTICATION & SESSION MANAGEMENT

Broken Authentication is a kind of web vulnerability which occurs due to the misconfiguration of session management.
After an authentication process completed, a session will be created which will be activated for data communication
between the server and a particular user. Fig. 1 represents the problem of Broken Authentication by exploiting session
mismanagement problem. If any intruder can get access in the active session of any specific user bypassing the
authentication process, the scenario is treated as broken Exploiting Authentication problem of the given application. Fig. 1
represents the overall process of user authentication and session management.
 Figure 1. Authentication and Session Management Process

A session request is raised by a user of a web application through the login page where the user credential has been
provided. Once the given request has been sent from the client side to server side, the server initiates a query to the
database for checking whether the user provided credential is matched
with the record of the database or not. As soon as the
validation process is successful, a session with a specific
ID will be allocated for the user to communicate the
application. A user then can access the system with a given
privileges provided by the administrator of the system for
getting different services. A valid session works for a
certain duration which is predefined by the system
designer. Browsers stores the user credential in the
authentication cookie so that the session will

remain continue once the session is expired its period by

sending the authentication information to the server side.
This process is performed automatically behind the user
interface which will reduce the effort of the user to
authenticate they repeated. However, the intruder can
catch and get access into other’s active session by using
different applications like, cookie manager, eat my cookie,
advanced cookie manager, etc., in case the user missed to
close the session as directed by the application designer.
There are some exploitation techniques used exploit
Broken Authentication & Session Management. Types of
the above are given below: Figure 2. General Broken Authentication & Session Management
Exploitation.
A. General Broken Authentication & Session
It continuously sends the request of produced user
Management Exploitation
credential until the system finds it correct. As soon as the
Broken Authentication and Session Management have
different types of exploitation techniques that are discussed
in this paper. Manual penetration testing method has been
used to check the above vulnerability of web applications
in public and private sector of Bangladesh. Fig. 2
represents the general Broken Authentication & Session
Management exploitation technique.
guessable credentials are matched with database, the
system sends a response to the attacker with the access in
the account or admin panel. It is mentionable here that
many systems are easily exploitable due to use the weak
passwords like admin admin, admin123, etc.

B. Exploitation Techniques

The five types of Broken Authentication & Session

Management exploitation techniques are discussed below.

a) Session Misconfiguration Attack: Session

duration is one of the major facts in maintaining a secure
authentication process of the web applications. As soon
as the user credential is validated from a system, it
assigns a session for the particular user with a session ID
for a limited period of time. In case the developer of the
web application sets the session duration parameter with
a large value, the session will remain active for that
specific period if the user not logged off their account as
directed by the designer of the application.
Therefore, that session can be reestablished to re-using
by an intruder which leads to Broken Authentication.
Session misconfiguration is one of the most critical areas
for Broken Authentication and Session Management
vulnerability. Attacker uses the browser, Google dork,
and no-redirection add-ons for bypassing admin panel in
session misconfiguration exploitation process. Session
misconfiguration exploitation processes are described in
four steps.

Step 01: Attacker uses Google dork to search vulnerable

web sites e.g. inurl:apanel/admin/;
Step 02: Google returns the list of possible vulnerable
web site list (in figure 3);

Figure 3. Search vulnerable web site using Google dork.

Step 03: The possible vulnerable web site lists have been
observed (in Fig. 4) and attacker selects the specific
URLs with index file like, inurl:apanel/admin/index.php.
 default password for their access into the system which will
be easy to guess for an attacker to get access in the system.
It is an automated process of cracking/ guessing user’s
weak passwords. Attacker gives user login link in Hydra in
which it checks predefined dataset for trying to find
username and password. Fig. 6 represents Cracking/
Guessing Weak Password exploitation using multiprotocol
brute force tool Hydra.

Figure 4. Session Misconfiguration Attack Exploitation process.

Browser sends a request to the server to get access to

the user admin panel directly without using username and
password. Java script redirects the request and send
attacker to the login page.

Figure 6. Cracking/ Guessing Weak Password exploitation using

multiprotocol brute force tool Hydra.

Finally, Hydra shows whether username and password is

found or not.

iii) Exploiting Authentication problem

Web applications authentication systems are handled by

using conditional quires to check username and password
against one user for authentication. If these conditional
queries get infected or not properly handled, it could easily
compromised by an intruder to get access into the system
Figure 5. Bypassing admin panel using no-redirect add-ons in Firefox without proper authentication.
browser
Step 04: Fig. 5 shows the installation process of no-redirect iv) Decoding Inadequate Encryption
add-ons in Firefox browser where the target website URL
are added in the add-ons for getting access in admin panel In some web applications privacy measures are not
successfully by preventing re-direction of the request. No- properly handled by the developers. Therefore, an attacker
redirect add-ons helps attacker to bypass the admin panel can steal the session ID against one user by exploiting the
successfully, and intruder gets privilege the access into the security flaws of disclosing the session ID in the URL of
system. the system, e.g.

ii) Using Cracking/ Guessing Weak Password http://www.demosite.com/transactions/saleitems?sessioni

Exploitation d=7892384838&dest=demouser

Due to lack of awareness about password management, The example shows the general transaction’s session id
some non-technical users keep their password in a of demouser has been disclosed publicly in the URL. As
generalize form like admin, password, mypassword, such, it is not very critical for an attacker to steal some
password123, admin1997 etc. and also in some cases, other user’s
user remains the
session id just only changing the session ID value into the URL. The attack process is feasible for the inadequate encryption
in the value of session ID. After changing the value in session ID, it will look like as below:

http://www.demosite.com/transactions/saleitems?sessionid= 7892384839&dest=attackername.

v ) Other Vulnerabilities

Web application vulnerabilities allow users to disclose users/ systems sensitive information. It also causes major harm to
other circumstance e.g. it allows users to execute malicious quires in the system if the system is vulnerable to XSS
vulnerability, it also allows attackers to post malicious links for phishing to steal session of the victim, etc. Forgotten
password functionally, relying on IP address for session, emailing user credentials, not authenticating a user before changing
password, and not having adequate timeouts for inactive session are also reason for Broken Authentication.
Among the sample, 56% websites were found with Broken Authentication and Session Management vulnerability.
Presence of five exploitation types of Broken Authentication and Session Management vulnerability was existed in those
websites.

III. PREVENTION TECHNIQUES FROM BROKEN AUTHENTICATION AND SESSION MANAGEMENT

VULNERABILITY

Basic guidelines to manage the session are provided below for preventing the given types of exploitation. It is to be
noted that all the solution examples are given in PHP code.
A. Session ID Life Cycle

Session IDs can be generated in two types i.e. permissive and strict . The permissive mechanism initially accepts any
session ID value set by a user to create a new session. On the contrary, strict mechanism enforces the web application to
accept session ID values generated by the system. If web applications do not validate and filter out the invalid session ID
values before processing, it can potentially be used by an attacker to exploit other web vulnerabilities as well. The session
ID must be renewed or regenerated even if the same user upgrades/degreases their user privilege level.

B. Session Reset

A defined session is build-up during an authenticated user logged in. The system preserves authentication cookies for
validating the user during their active session. These session cookies should be reset after that user is logged out from the
system to ensure confidentiality . After logging out of a user, the module should end up with the following types of code.

if (ISSET($_REQUEST['LOGOUT']))
{ UNSET($_SESSION[LOGOUT])
}

C. Session Expiration

Sessions hijacking is one of the types of attack by which an attacker can exploit over an active session. Therefore, it is
necessary for the developer of the web application to set expiration timeouts for every session to prevent sessions
hijacking attacks. The developer should also ensure the mechanism to keep the session active as long as the valid user
remains in work. Irregular session expiration increases different types of session-based attacks as the attacker could reuse
the valid session IDs and also can hijack the active associated sessions. Example of cookie expiration is shown as below:
Set-Cookie: id=; Expires=Friday,-15- July-17 18:45:00 GMT.

D. Cookies

Cookies based session ID exchange mechanism ensures numerous security properties in the form of cookie attributes
which it can be used to safeguard the exchange of the session ID.

E. Session Attacks Detection

When an attacker tries to guess/ brute force a valid session ID or analyze the predictability of the session ID using
statistical analysis, multiple sequential requests against the

target web application has to be launched using different session IDs from a single or multiple IP addresses. Web
application’s firewall has to have the capability to detect the above scenario based on the number of attempts that the system
observed from different session IDs. Alert to the administrator has to be ensured and block those offending IP addresses by
analyzing the payload.

F. Client-Side Defenses for Session Management

Web Application's session maintenance technique using java-script validation for client site protection is a regular way to
make it safe from general users. Although it is not enough for defending any skilled intruder, but it may generate another
layer of security. Attacker can bypass this client site protection using some advance tool (e.g. burp suite and techniques.
Therefore, the server side security needs to be address properly.
The confidential pages must use the defined system session strictly for being secure from unauthorized access. Proper
session maintenance is the main key point of reducing Broken Authentication vulnerability. Insecure sessions are generally
compromised by the attackers for interrupting in general session mechanism. In this case, developers need to meet some
initiatives which are described below for proper management of sessions.

i) Predefined Session Period:

Session should be started with the proper validation of user's credentials i.e. username and password. The session cookie
will be used to authenticate the user continually as long as the user stays active in the system. If the user found without any
activity for a certain period, the session will be destroyed automatically by the system. Sample of the automatic session
destroy code is given below:

if (isset($_SESSION['ACTIVITY']) && (time() -

$_SESSION['ACTIVITY'] > 1200)) {
// here previous request was 20 min ago session_unset(); //
session_destroy(); // destroying active sessions
}
$_SESSION['ACTIVITY'] = time(); // now updating last activity
From the above code, it is observed that the system will destroyed the active session once it finds the user inactive for
1200 seconds.

ii) Destroy Old Sessions:

The system should not allow long duration session without proper authentication for ensuring users validity. The
following types of code may help the developer to prevent session based attack.

if(!empty($_SESSION['deleted_time'])&&
$_SESSION['deleted_time'] < time() - 180) { session_destroy(); // delete the old sessions

iii) Set Cache Limitation as Private:

The cache expiration is reset to the default value of 180 stored in the function of session.cache_expire during request
startup time. Thus, the developer should ensure to call the function, session_cache_expire() for every request to define
every cache limit as private. Example of sample solution code is given below:

/* set the cache limiter to 'private' */ session_cache_limiter('private');

$cache_limiter = session_cache_limiter();

G. Generating an Access Token:

Use of access token for entering into any active session is now very popular for web applications. When a user requests
for creating a new session after completing the authentication process, the system generates an access token randomly to
validate the user. Users have to enter the given token code with their credential to get access into their session. Since the
token code are generated randomly for a limited time period, an attacker cannot hijack the user’s sessions using brute-force
 technique even if the attacker discovers the correct user credential.

IV. CONCLUSION

Almost all web applications are maintaining the users’ profile separately to ensure the quality services and
communications to its user. Broken Authentication and Session Management problem are one of the major impediment to
confirm the confidentiality of the web application. Therefore, the above two weaknesses have been listed as the most
critical web application vulnerability since 2007 and now it is ranked as 2nd in Open Web Application Security Project
(OWASP) It is also revealed from this study that Session Misconfiguration attack and Cracking/ Guessing Weak Password
are the most effective ways to exploit the Broken Authentication and Session Management vulnerabilities of the web
application in those domains.

View publication stats