Document Type : Research Article


1 Department of Information Technology, College of Computer, Qassim University, Buraydah, Saudi Arabia.

2 Computers and Control Engineering Deptartment, Faculty of Engineering, Tanta University, Tanta, Egypt.


Web application protection is today’s most important battleground between victim, intruder, and web service resource. User authentication tends to be critical when a legitimate user of the web application abruptly ends contact while the session is still active, and an unauthorized user chooses the same session to gain access to the device. For many corporations, risk detection is still a problem. In other cases, it is a usual way of operating that provides the requisite protection to keep the product free of weaknesses. Using various types of software to identify different security vulnerabilities assists both developers and organizations in securely launch applications, saving time and money.
Different combinations of tools have been seen to enhance protection in recent years, but it has not been possible to combine the types of tools available on the market until the writing of this report. The aim of this paper is to clarify vulnerabilities in broken authentication and session management. It is worth noting that if the creator practices the preventive techniques outlined in this article, the chances of exploitation being discussed are reduced. This paper
revealed that the most powerful ways to exploit the Broken Authentication and Session Management vulnerabilities of the web application in those domains are the Session Misconfiguration assault and Cracking/ Guessing Weak Password. Correspondingly included techniques to defend authentication and the most important is using a robust encryption system, setting password rules, and securing the session ID.


[1] Auth. What is broken authentication,
2021. 18 February 2022.
[2] Broken. Broken authentication, 2021. Accessed 18 February 2022.
[3] Cyber. Cyber security, 2021. Accessed 18 February 2022.
[4] Dheerendra Mishra, Ashok Kumar Das, Ankita
Chaturvedi, and Sourav Mukhopadhyay. A
secure password-based authentication and key
agreement scheme using smart cards. Journal of
Information Security and Applications, 23:28–43,
[5] Fan Wu, Lili Xu, Saru Kumari, Xiong Li, and
Abdulhameed Alelaiwi. A new authenticated key
agreement scheme based on smart cards providing user anonymity with formal proof. Security
and Communication Networks, 8(18):3847–3863,
[6] Nguyen Manh Thang. Improving efficiency of
web application firewall to detect code injection
attacks with random forest method and analysis attributes http request. Programming and
Computer Software, 46(5):351–361, 2020.
[7] Wenting Li, Yaosheng Shen, and Ping Wang.
Breaking three remote user authentication systems for mobile devices. Journal of Signal Processing Systems, 90(8):1179–1190, 2018.
[8] Rupal R Sharma and Ravi K Sheth. Discover
broken authentication and session management
vulnerabilities in asp .net web application. Programming and Computer Software, 3(1):290—-
293, 2017.
[9] Wenting Li, Qianchen Gu, Yiming Zhao, and
Ping Wang. Breaking two remote user authentication systems for mobile devices. In 2017 ieee
3rd international conference on big data security on cloud (bigdatasecurity), ieee international
conference on high performance and smart computing (hpsc), and ieee international conference
on intelligent data and security (ids), pages 37–
42. IEEE, 2017.
[10] Virginia Mary Nadar, Madhumita Chatterjee,
and Leena Jacob. A defensive approach for
csrf and broken authentication and session management attack. In Ambient Communications
and Computer Systems, pages 577–588. Springer,
[11] Md Fazlul Haque, Mohammad Badrul Alam
Miah, and Fuyad Al Masud. Enhancement of
web security against external attack. European
Scientific Journal, ESJ, 13(15):228, 2017.
[12] Chanchala Joshi and Umesh Kumar Singh. Performance evaluation of web application security
scanners for more effective defense. International
Journal of Scientific and Research Publications
(IJSRP), 6(6):660–667, 2016.
[13] Md Maruf Hassan, Shamima Sultana Nipa, Marjan Akter, Rafita Haque, Fabiha Nawar Deepa,
Mostafijur Rahman, Md Asif Siddiqui, Md Hasan
Sharif, et al. Broken authentication and session
management vulnerability: a case study of web
application. International Journal of Simulation
Systems, Science & Technology, 19(2):6–1, 2018.
[14] Jiliang Zhang and Haihan Su. Machine learning attack and defense on voltage over-scalingbased lightweight authentication. arXiv preprint
arXiv:1807.07737, 2:50–55, 2018.
[15] Daniel Huluka and Oliver Popov. Root cause
analysis of session management and broken authentication vulnerabilities. In World Congress
on Internet Security (WorldCIS-2012), pages 82–
86. IEEE, 2012.
[16] Jinfeng Li. Vulnerabilities mapping based on
owasp-sans: a survey for static application security testing (sast). Annals of Emerging Technologies in Computing (AETiC), Print ISSN, pages
2516–0281, 2020.
[17] Kyriakos Kritikos, Kostas Magoutis, Manos Papoutsakis, and Sotiris Ioannidis. A survey on
vulnerability assessment tools and databases for
cloud-based web applications. Array, 3:100011,
[18] Detchasit Pansa and Thawatchai Chomsiri. Integrating the dynamic password authentication
with possession factor and captcha. In 2018 Joint
10th International Conference on Soft Computing and Intelligent Systems (SCIS) and 19th International Symposium on Advanced Intelligent
Systems (ISIS), pages 530–535. IEEE, 2018.
[19] Mark A Runco. Comments and corrections:
Chance and intentionality in creative performance. Creativity Research Journal, 19(4):395–
398, 2007.
[20] Subir Biswas and Jelena Miˇsi´c. A cross-layer
approach to privacy-preserving authentication
in wave-enabled vanets. IEEE Transactions on
Vehicular Technology, 62(5):2182–2192, 2013.
[21] Luke Murphey. Secure session management: Preventing security voids in web applications. The
SANS Institute, 29, 2005.