1. OWASP Khartoum The OWASP Foundation
6TH Meeting 4 Aug 2012 http://www.owasp.org
Top 10:A3
Broken Authentication and Session Management
Obay Osman Ahmed
OWASP Khartoum
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

2. ToC
• Definition.
• Impact.
• Environments Affected.
• BA-SM in the wiled.
• Demo time.
• How to Protect Yourself.
• Warp Up.
• Q & A.
2

3. Definition
Authentication is the process of
verification that an individual or an entity is
who it claims to be. (by submitting a user
name or ID and one or more items of private
information that only a given user should
know).
Session Management is a process by
which a server maintains the state of an
entity interacting with it. (by a session
identifier)
3

4. OWASP Risk Rating #
4

5. Impact
May allow some or even all accounts to
be attacked.
Once successful, the attacker can do
anything the victim could do.
#Privileged accounts are frequently
targeted.
5

6. Environments Affected
All known web servers, application
servers, and web application environments
are susceptible to broken authentication
and session management issues.
6

7. //BAD - DON'T USE
public boolean login(String username, String
password)
{
boolean isAuthenticated = true;
try {
//make calls to backend to actually perform login
against datastore
if (! authenticationSuccess) {
isAuthenticated = false;
}
}
catch (Exception e)
{ //handle exc }
return isAuthenticated;
}
7

8. In the wield..
- Timeouts.
- ID in URL.
- Credential Storage.
Methodologies: XSS, CSRF (Session
riding attack), SQL injection, Session
fixation….
8

9. It is Demo Time..
Let us break something…
9

10. How to Protect Yourself
Don’t implement it by your self, OR
Define , Document, Enforce clear site’s
policy, THEN
Check this critical areas:
“It is foolish to think that you’ll do better
on your first try”.
10

11. Prevention Cont.
Passwords (Strength, Use, Change
Controls, Recover and Storage).
Protecting Credentials in Transit.
Session ID Protection.
Account Lists.
Browser Caching.
Trust Relationships.
11

12. OWASP Recommended
Meet all requirements defined in
OWASP’s ASVS areas V2 (Authentication)
and V3 (Session Management).
Have a simple interface for developers.
Consider the ESAPI Authenticator and User
APIs as good examples to emulate, use, or
build upon.
12

13. Summary &
Conclusion

14. The OWASP Foundation
http://www.owasp.org
OWASP Top 10 2010:
A1 –Injection
A2 –Cross-Site Scripting (XSS)
A3 –Broken Authentication and Session Management
A4 –Insecure Direct Object Reference
A5 –Cross Site Request Forgery (CSRF)
A6 –Security Misconfiguration(NEW)
A7 –Insecure Cryptographic Storage
A8 –Failure to Restrict URL Access
A9 –Insufficient Transport Layer Protection
A10 –Unvalidated Redirects and Forwards (NEW)
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

15. Ref.
• ASVS requirements areas for Authentication (V2) and
Session Management (V3)
• OWASP Authentication Cheat Sheet
• ESAPI Authenticator API
• ESAPI User API
• OWASP Development Guide: Chapter on authentication
• OWASP Testing Guide: Chapter on Authentication

16. Q&A
17