In the rest of this chapter, we describe common attacks on your Web commerce applications that you must prepare to defend against. Each section contains a description of an attack as well as recommendations to control and counter it where applicable.
Although a common attack, mounting a successful attack of this kind is difficult. Flaws in authentication and session management most frequently involve the failure to protect security-sensitive credentials (passwords or other key material) and session tokens through their life cycle. This allows attackers to compromise credentials or exploit other implementation flaws to assume other users' identities. All Web application frameworks are vulnerable to authentication and session management attacks. Vulnerabilities are usually exploited within the main authentication mechanism, password management, and session timeout logics.
Passwords are the most common form of credential used for authenticating users on the Web. Therefore, flaws in password management are of particular importance for this attack category. One typical attack against password-protected systems involves devising an automated system to guess users' passwords by way of brute forcing. There are three types of password-guessing brute force attacks8: