Broken Authentication or Session Management badge Broken Authentication or Session Management

Description

Vulnerabilities in authentication or session management could manifest themselves in a number of ways. This could be a gap or bug in authentication logic, password reset flows, or SSH key validation. A vulnerability in one of these components could range in impact, from assisting in a social engineering attack to a full compromise of user accounts.

Our applications support a number of authentication methods. On GitHub.com this includes our login form, authentication to other applications with OAuth, authentication between GitHub services with signed tokens, and maintaining authentication state through session cookies. Each of these methods is a complex system and requires Serious Security Scrutiny™.

To bolster the security of authentication, our web-based and API logins support two-factor authentication to minimize the impact of compromised user credentials. Additionally, to limit the impact of a compromised session, we require re-authentication for sensitive tasks with what we call Sudo Mode.

More about authentication and session management vulnerabilities from OWASP’s Top 10 :

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

Recently collected Broken Authentication or Session Management bounties:

1 jkakavas 600 pts Ioannis Kakavas SAML Response attribute not revoked to prevent replay attacks
2 soby 5000 pts Brian Soby, Freefly Security GitHub Enterprise SAML signature bypass
3 jkakavas 5000 pts Ioannis Kakavas GitHub Enterprise SAML signature bypass
4 jkakavas 10000 pts Ioannis Kakavas GitHub Enterprise SAML authentication bypass
5 pouyadarabi 500 pts Pouya Darabi Joining the Developer Program without a paid plan