Tuesday, November 12, 2013

OWASP Top 10 For the Average Internet User: Broken Authentication/Session Management

Where can it happen?

This can happen anywhere you need a username and password to login or anywhere that you are uniquely identified from other internet users.

What is it?

When you log on to a website that website needs a way to identify your internet traffic and keep you straight from all of the other people that are out there. Let's say when you log on to Facebook, Facebook tells you to identify yourself as user 150 everytime you go to a new page. As long as you send that number, Facebook knows to show you your friends, allow you to post new status updates, comment on pictures as yourself, etc.

But what if I (as an evil internet hacker) decided to browse Facebook and send them 150 as my identifier? Suddenly I become you! I can ask for my (your) chat history and see what girls you've talked to, I can post witty comments on your mothers pictures, I can unfriend your girlfriend! Mwwahaha!

Why should I care?

We really just covered this, but in case you don't care that I can unfriend your girlfriend on Facebook, what if I get your session token for your bank? Or your fandango or paypal account? Now your finances as well as your social life is at my mercy, which is very bad.

How can I protect myself?

Make sure that your websites log you in over a secure connection. This means that you should log in over ssl (you should see HTTPS at the beginning of the URL). Not many companies provide it, but it doesn't hurt to ask your bank or credit union how they handle your internet security before agreeing to do business with them online. That being said, the larger the company the more likely they are to put time and resources into ensuring your online security.