Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
ToC• Definition.• Impact.• Environments Affected.• BA-SM in the wiled.• Demo time.• How to Protect Yourself.• Warp Up.• Q & A. 2
Definition Authentication is the process ofverification that an individual or an entity iswho it claims to be. (by submitting a username or ID and one or more items of privateinformation that only a given user shouldknow). Session Management is a process bywhich a server maintains the state of anentity interacting with it. (by a sessionidentifier) 3
How to Protect Yourself Don’t implement it by your self, OR Define , Document, Enforce clear site’spolicy, THEN Check this critical areas: “It is foolish to think that you’ll do betteron your first try”. 10
Prevention Cont. Passwords (Strength, Use, ChangeControls, Recover and Storage). Protecting Credentials in Transit. Session ID Protection. Account Lists. Browser Caching. Trust Relationships. 11
OWASP Recommended Meet all requirements defined inOWASP’s ASVS areas V2 (Authentication)and V3 (Session Management). Have a simple interface for developers.Consider the ESAPI Authenticator and UserAPIs as good examples to emulate, use, orbuild upon. 12