Design and Develop Automated Detection of Three Common Broken Authentication Vulnerabilities

Abstract

The purpose of this thesis is to present a new tool for detecting common web attacks that lead to web application information disclosure, primarily through improper authentication and session management. It provides a flexible URL search engine that scans HTTP requests and responses during web page delivery and records the necessary data without impacting web server performance. New tools can detect attacks using HTTP responses such as Post and Get methods. And by investigating all factors, we are looking for satisfactory results. The new tools are highly extensible, allowing for future work. Web applications are consistently used on a consistent schedule. Web applications are experiencing security risks and breaches these days. Security analysts, companies, and organizations are working together to stop, or at least mitigate, these attacks and dangers. The Open Web Application Security Project (OWASP) is a non-profit security association that discovered and ordered ten attacks against vulnerabilities affecting her web applications today. Suspended reviews and executive weakness attacks are the next top attacks in the report listed in OWASP. This white thesis describes flawed authentication and session management exploits and their detection process. We also propose an automated system to detect vulnerability attacks such as brute force, session ID rotation after successful login, and session ID disclosure in URLs by exposing all the facts. Keywords: Broken Authentication, Brute force, Session ID, Rotation, Log in, Exposes URL.