Mitigation Strategies
Explore essential mitigation strategies for securing authentication and authorization mechanisms in web applications. Understand how to implement multi-factor authentication, enforce strong password practices, limit login attempts, manage server-side sessions securely, and apply the principle of least privilege to protect against common vulnerabilities.
Overview
Mitigating vulnerabilities stemming from faults in authentication and authorization is a critical element that developers often overlook. These vulnerabilities are some of the very first ones that hackers and pentesters start checking when they set a target, so fortifying the most common attack vectors makes sense.
Multi-factor authentication (MFA)
We’ve already discussed the need for MFA earlier in this chapter. The most common form of MFA for almost all web applications available today is one-time password (OTP) codes that are sent to email accounts and phones. For example, it’s now almost impossible to create a new Google, Facebook, and Twitter account without handing them our phone number for two-factor authentication (2FA).
At a broader level, important employees of large companies are often given long, strong passwords from a password store that frequently change and a physical key card with a chip, without which they can’t gain physical entry into locations and use their company provided laptops. At some places, the laptops may also require OTP codes that are sent to the employees’ company managed phones (and numbers).