Common Broken Authentication Attacks
Let’s take a look at some common styles of attack that can threaten your app, and how properly managing both authentication and authorization can limit the danger.
1: Session Hijacking/Session Fixation
Attackers use stolen session IDs to impersonate an authorized user. This can happen when…
- A user forgets to log out and leaves their device unattended.
- The session ID appears in the URL, making it easy to track and share.
- The attacker obtains extant session ID stored in application cookies and caches.
2: Credential Stuffing
Hackers use credentials (i.e. username or email address and password) leaked from other sites or programs. Since people often use the same information for multiple accounts, this technique, though time-intensive, is often effective.
3: Password Spraying
The hacker uses a brute force attack by rapidly rolling through common passwords, including names, words, and dates.
Attackers obtain user login information by impersonating you or another legitimate provider. They may create an imitation email with slight, almost imperceptible changes to your name.