Presentation is loading. Please wait.

Presentation is loading. Please wait.

Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.

Published byBranden Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session."— Presentation transcript:

1 Broken Authentication & Session Management

2 What is it ? Bad implementation of authentication and session management. If an attacker can get your session ID, then they can steal your session Could happen over unsafe medium. Could happen if an attacker can get your password.

3 Broken Authentication and Session Management - Vulnerabilities Password not hashed. Weak Password recovery method. Exposed Session-Ids’. Long session timeout. Improper rotation of session-ids’ after logout. Sending session-ids’, passwords over unencrypted connections.

4 Session Fixation Attack

5 Broken Authentication and Session Management - Prevention Always use https for any authenticated URLs. If storing credentials in a database, store them encrypted or hashed. Set session timeouts to as low as possible to reduce the risk of exposure to someone who forgets to log out at a public terminal. Try to store SessionIds in cookies Invalidate session properly

6 Thank You

Download ppt "Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session."

Similar presentations

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.

Application Security Best Practices At Microsoft Ensuring the lowest possible exposure and vulnerability to attacks Published: January 2003.
©Copyright Justin C. Klein Keane PHP Vulnerability Potpourri File Include, Command Injection & Authentication Bypass Vulnerabilities.

©Copyright Justin C. Klein Keane PHP Vulnerability Potpourri File Include, Command Injection & Authentication Bypass Vulnerabilities.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center 2014 www.know-center.at Security.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Strong Password Protocols

Strong Password Protocols
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Similar presentations

Ads by Google