1. Cause
Improper authentication and session management methods.
Including logout, password management, timeout mechanism, remembering users, password problems, and account updates.
2. Hazards
The account is stolen and attackers can have all the permissions of the account. Privileged accounts are often attacked.
3. Discovery
(1) An insecure hash or encryption algorithm is used to store passwords.
(2) Use the weak account management function to guess or overwrite the user password (Account creation, password modification, password retrieval, weak sessionid ).
(3) sessionid is exposed in the URL.
(4) sessionid is not updated after the authentication is passed and will be subject to fixed session attacks.
(5) sessionid does not time out, or after logging out, the authentication token (especially the SSO token) does not expire.
(6) the password, sessionid, and other authentication fields are transmitted through an unencrypted channel.
4. Protection
(1) authentication and session management control system, meeting OWASP asvs standards (v2-authentication, V3-session management ), it also provides developers with simple interfaces (refer to esapi authenticator and user APIs ).
(2) Prevent XSS vulnerabilities.