In 2011, Netease, which used to be the largest Chinese free email service provider, suffered from a broken authentication attack and 500 million entries of their username/password-hashes combinations became openly available to the public. Upon the leak, many users reported that even after changing their password on Netease, their accounts on other websites still got hacked. This problem of broken authentication is still a significant problem today and ranks as the second most prevalent form of attack by hackers on the OWASP Top Ten list.
Broken Authentication refers to the situation created by the prevalence of publicly available default username/password lists or by hijacking sessions IDs. These are often used to crack systems with direct attacks. In addition, any leakage of username/password data on the internet could bring risks to the accounts created by the same user on other sites. Despite password attacks, there are many other forms of attack that are related to session management utilities, which are also more difficult to identify and could introduce a higher level of threat.
You can help prevent broken authentication attacks by carefully deciding your default login credentials mode and make sure that after the initial setup, the default password is not used for further authentication.
Example of Attack
The example below directly uses MD5 to perform the checking of a password instead of salting it properly. This could mean that if any user of the system happens to use a password that is used by someone else, there would be a high chance that those who have administrative control of the system could inspect that result and could then extract the user’s password.
Broken authentication attacks are common and can be devastating to an organization. They are also highly preventable.
To learn more about OWASP and how Xcalscan can help you prevent them, click here.