Over the years, web application security began with sessions and now sessions are based on tokens to improve overall session security.
According to the most recent OWASP Top 10, “Application implementations related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.”
These security flaws can be extremely critical to web applications. This can impact high risk to businesses. Not just the exposure of sensitive data, but it can also allow hackers to steal accounts from others and impersonate users. Both internal and external attackers can take advantage of these vulnerabilities.
A session is started when a user authenticates to an authentication server to prove their identity using a password or another authentication protocol. Session management needs secure cryptographic network communications, ie, secure sharing of secrets with authenticated users.
Some of the popular attacks on session:
Manipulator in the middle attack (MITM) occurs when an attacker intercepts a request between a user and the server.
Cross-site scripting (XSS) is a security exploit which allows an attacker to inject malicious scripts into a website.
Cross-site request forgery (CSRF) is an attack that forces an authenticated end-user to execute unwanted actions on a web application.
Session fixation is an attack that permits an attacker to hijack into a valid user session.
How to secure a session:
- HTTPS communication
- Validate JWT tokens
- Do not hardcode tokens
- Secure and HTTPonly cookies
- Lengthy and random session ID
More detailed version along with how you can avoid these vulnerabilities is published at : https://beaglesecurity.com/blog/article/session-security.html
Top comments (0)