IJSRST173382 | Received : 25 March 2017 | Accepted : 04 April 2017 | March-April - 2017 [(3)2: 290-293 ] © 2017 IJSRST | Volume 3 | Issue 1 | Print ISSN: 2395-6011 | Online ISSN: 2395-602X Themed Section: Science and Technology 290 Discover Broken Authentication and Session Management Vulnerabilities in ASP.NET Web Application Rupal R Sharma 1 , Ravi K Sheth 2 1 M.Tech, Cyber Security, Student, Department of Information Technology, Raksha Shakti University, Ahmedabad, Gujarat, India 2 Assistant Prof., Department of Information Technology, Raksha Shakti University, Ahmedabad, Gujarat, India ABSTRACT Today, web application security is most significant battlefield between victim, attacker and resource of web service. The websites which are written in ASP.NET might contain security vulnerabilities which are not seen to the owner of the website. This paper describes an algorithm that aims in the detection of security vulnerabilities of broken authentication and session management. The suggested algorithm of this paper performs a scanning process for website and web application files. Our scanner tool relies on studying the source code of the application depending on ASP.NET files and the code behind files (C sharp C#). A program written for this purpose is to generate a report that describes most leaks and vulnerabilities types by mentioning the file name, leak description and its location. The aim of the paper is to discover the broken authentication and session management vulnerabilities. The suggested algorithm will help organization and developer to fix the vulnerabilities and improve the overall security. Keywords: Web security, session management, session hijack, Broken Authentication, ASP.NET I. INTRODUCTION World Wide Web has evolved from a system that delivers static pages to a platform that supports distributed applications, known as web applications and become one of the most prevalent technologies for information and service delivery over Internet. The increasing popularity of web application can be attributed to several factors, including remote accessibility, cross-platform compatibility, fast development, etc. Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services. [1] II. METHODS AND MATERIAL 1. OWASP Top Ten vulnerabilities A1 Injection. A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References. A5 Security Misconfiguration. A6 Sensitive Data Exposure. A7 Missing Function Level Access Control. A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards OWASP TOP 10 Vulnerabilities [2] The OWASP define that web application related functions related to authentication and session management are not implement correctly which is allowing attackers to compromise password, keys or session tokens or to exploit other implementation flaws to assume other user identities. [3] Web application security statistics report also shows average vulnerability age by risk which display below. [4]. Following chart show that how many days need to fix or recover any web application which is affect by different attacks? By analysis we concluded that broken authentication and session management vulnerabilities are very harmful for web application. It is take more days to recover the web application. Figure 1. Average time to fix vulnerability