Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OWASP Broken Authentication and Session Management Example

DZone's Guide to

OWASP Broken Authentication and Session Management Example

· Java Zone
Free Resource

Download Microservices for Java Developers: A hands-on introduction to frameworks and containers. Brought to you in partnership with Red Hat.

The article presents an example on one of the top OWASP vulnerability related with authentication and session management. This is termed as “Broken Authentication and Session Management”. To know more about this vulnerability and related details, visit OWASP page for broken authentication and session management.

I was surfing a website, http://www.99acres.com, few days back and tried to retrieve my password using “Forgot Password” page. As I entered my username, I was amazed to see my email address shown there. I, then, tried another name such as “karthik” and following was the message:“An email has been sent to karthiksundaram@gmail.com. Please click on the link provided in the email to create a new password.”Take a look at the screenshot below as an evidence of the vulnerability.

99acres.com - broken authentication and session management

99acres.com – broken authentication and session management

Possible Exploit

As 99acres.com is one of the India’s largest retail website, one could easily write an automated script and retrieve email addresses of millions of users and then, use different techniques to retrieve few passwords as well.

Solution

The solution is pretty simple. The response message could look like following:

“An email has been sent to your registered email address. Please click on the link provided in the email to create a new password.”

Download Building Reactive Microservices in Java: Asynchronous and Event-Based Application Design. Brought to you in partnership with Red Hat

Topics:

Published at DZone with permission of Ajitesh Kumar, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}