OWASP Broken Authentication and Session Management

September 10th, 2022


  • session hijacking

    • anti-pattern: session id in plain text

    • ref: cross site scripting (XSS)

  • session fixation (hacker creates valid session, and tries to get the target to use it)

    • Anti-pattern: authenticating an existing session

    • pattern: generate a new session ID when (re)authenticating

  • session prediction

    • Anti-pattern: session IDs based on user's own data

    • Anti-pattern: sequential session ids

just because a session looks random, does not mean it is random

guidelines for handling session IDs

no description for image available

pattern: long session ID with lots of entropy

pattern: session id from random with cryptographic properties

anti-pattern: session id from language's built-in random function

pattern: protect against XSS

pattern: generate a new session ID when (re)authenticating

pattern: use up-to-date platform session management

pattern: use ONLY cookies to exchange session IDs (disable all other ways)

anti-pattern: accept session IDs via query parameters


exercise: write a cURL command for a TLS-secured call to a development server using a self-signed certificate


Antipattern Metaphor: pie-crust defense

You had to authenticate to cross a boundary,

but services inside the "pie" could call each other freely


no description for image available


Authentication options:

  • first-party (build it yourself)

  • third-party (eg. Kerberos, NTLM, Oauth)




This post was referenced in: