Categories: Application Security

OWASP Broken Authentication and Session Management Example

The article presents an example on one of the top OWASP vulnerability related with authentication and session management. This is termed as “Broken Authentication and Session Management”. To know more about this vulnerability and related details, visit OWASP page for broken authentication and session management.

 

I was surfing a website, http://www.99acres.com, few days back and tried to retrieve my password using “Forgot Password” page. As I entered my username, I was amazed to see my email address shown there. I, then, tried another name such as “karthik” and following was the message:“An email has been sent to karthiksundaram@gmail.com. Please click on the link provided in the email to create a new password.”Take a look at the screenshot below as an evidence of the vulnerability.

99acres.com – broken authentication and session management

 

Possible Exploit

As 99acres.com is one of the India’s largest retail website, one could easily write an automated script and retrieve email addresses of millions of users and then, use different techniques to retrieve few passwords as well.

 

Solution

The solution is pretty simple. The response message could look like following:

“An email has been sent to your registered email address. Please click on the link provided in the email to create a new password.”

[adsenseyu1]

Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

View Comments

  • It was still broken as on 27.6.2014:17:52 - so dropped an updated to their website. Hope they can do anything better.

  • Interesting, but not necessarily "Broken Session" which happens when your session gets exposed, not some of your personal data. Lets say, in the "Forgot password" feature, you type your email and the app creates an authenticated session in this moment trying to prevent that you will not navigate to a private page, but for some reason, this prevention fails.

Share
Published by
Ajitesh Kumar
Tags: owasp

Recent Posts

Agentic Reasoning Design Patterns in AI: Examples

In recent years, artificial intelligence (AI) has evolved to include more sophisticated and capable agents,…

2 months ago

LLMs for Adaptive Learning & Personalized Education

Adaptive learning helps in tailoring learning experiences to fit the unique needs of each student.…

3 months ago

Sparse Mixture of Experts (MoE) Models: Examples

With the increasing demand for more powerful machine learning (ML) systems that can handle diverse…

3 months ago

Anxiety Disorder Detection & Machine Learning Techniques

Anxiety is a common mental health condition that affects millions of people around the world.…

3 months ago

Confounder Features & Machine Learning Models: Examples

In machine learning, confounder features or variables can significantly affect the accuracy and validity of…

3 months ago

Credit Card Fraud Detection & Machine Learning

Last updated: 26 Sept, 2024 Credit card fraud detection is a major concern for credit…

3 months ago