What is Authentication

  • Authentication is the process of verifying the identity of a user or client
  • There are three main types of authentication
    • - Something you know, such as a password or the answer to a security question. These are sometimes called “knowledge factors”.
    • - Something you have, This is a physical object such as a mobile phone or security token. These are sometimes called “possession factors”.
    • - Something you are or do. For example, your biometrics or patterns of behavior. These are sometimes called “inherence factors”.
  • Authentication mechanisms rely on a range of technologies to verify one or more of these factors.

What is the difference between Authentication and Authorization

  • Authentication is the process of verifying that a user is who they claim to be while Authorization involves verifying whether a user is allowed to do something.
  • For example, authentication determines whether someone attempting to access a website with the username Carlos123 really is the same person who created the account.
  • Once Carlos123 is authenticated, their permissions determine what they are authorized to do. For example, they may be authorized to access personal information about other users, or perform actions such as deleting another user’s account.

How do Authentication Vulnerabilities arise

  • Most vulnerabilities in authentication mechanisms occur in one of two ways:
    • - The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
    • - Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes called “broken authentication”.
  • Note: In many areas of web development, logic flaws cause the website to behave unexpectedly, which may or may not be a security issue. However, as authentication is so critical to security, it’s very likely that flawed authentication logic exposes the website to security issues.

What is the impact of vulnerable authentication

  • The impact of authentication vulnerabilities can be severe. If an attacker bypasses authentication or brute-forces their way into another user’s account, they have access to all the data and functionality that the compromised account has.
  • If they are able to compromise a high-privileged account, such as a system administrator, they could take full control over the entire application and potentially gain access to internal infrastructure.
  • Even compromising a low-privileged account might still grant an attacker access to data that they otherwise shouldn’t have, such as commercially sensitive business information.
  • Even if the account does not have access to any sensitive data, it might still allow the attacker to access additional pages, which provide a further attack surface.
  • Often, high-severity attacks are not possible from publicly accessible pages, but they may be possible from an internal page.

Vulnerabilities in a password-based login

  • For websites that adopt a password-based login process, users either register for an account themselves or they are assigned an account by an administrator.
  • This account is associated with a unique username and a secret password, which the user enters in a login form to authenticate themselves.
  • In this scenario, the fact that they know the secret password is taken as sufficient proof of the user’s identity. This means that the security of the website is compromised if an attacker is able to either obtain or guess the login credentials of another user.
  • This can be achieved in a number of ways. The following sections show how an attacker can use brute-force attacks, and some of the flaws in brute-force protection. You’ll also learn about the vulnerabilities in HTTP basic authentication.

Brute Force Attacks

  • A brute-force attack is when an attacker uses a system of trial and error to guess valid user credentials.
  • These attacks are typically automated using wordlists of usernames and passwords. Automating this process, especially using dedicated tools, potentially enables an attacker to make vast numbers of login attempts at high speed.
  • Brute-forcing is not always just a case of making completely random guesses at usernames and passwords.
  • By also using basic logic or publicly available knowledge, attackers can fine-tune brute-force attacks to make much more educated guesses.
  • This considerably increases the efficiency of such attacks. Websites that rely on password-based login as their sole method of authenticating users can be highly vulnerable if they do not implement sufficient brute-force protection.

Brute-forcing Usernames

  • Usernames are especially easy to guess if they conform to a recognizable pattern, such as an email address.
  • For example, it is very common to see business logins in the format firstname.lastname@somecompany.com
  •  However, even if there is no obvious pattern, sometimes even high-privileged accounts are created using predictable usernames, such as admin or administrator.
  • During auditing, check whether the website discloses potential usernames publicly. For example, are you able to access user profiles without logging in?
  • Even if the actual content of the profiles is hidden, the name used in the profile is sometimes the same as the login username.
  •  You should also check HTTP responses to see if any email addresses are disclosed. Occasionally, responses contain email addresses of high-privileged users, such as administrators or IT support.

Brute-forcing Passwords

  • Passwords can similarly be brute-forced, with the difficulty varying based on the strength of the password.
  • Many websites adopt some form of password policy, which forces users to create high-entropy passwords that are, theoretically at least, harder to crack using brute-force alone.
  • This typically involves enforcing passwords with:
    • - A minimum number of characters
    • - A mixture of lower and uppercase letters
    • - At least one special character
  • However, while high-entropy passwords are difficult for computers alone to crack, we can use a basic knowledge of human behavior to exploit the vulnerabilities that users unwittingly introduce to this system.
  • Rather than creating a strong password with a random combination of characters, users often take a password that they can remember and try to crowbar it into fitting the password policy.
  • For example, if mypassword is not allowed, users may try something like Mypassword1! or Myp4$$w0rd instead.
  • In cases where the policy requires users to change their passwords on a regular basis, it is also common for users to just make minor, predictable changes to their preferred password.
  • For example, Mypassword1! becomes Mypassword1? or Mypassword2!.
  • This knowledge of likely credentials and predictable patterns means that brute-force attacks can often be much more sophisticated, and therefore effective, than simply iterating through every possible combination of characters.

Username Enumeration

  • Username enumeration is when an attacker is able to observe changes in the website’s behavior in order to identify whether a given username is valid.
  • Username enumeration typically occurs either on the login page, for example, when you enter a valid username but an incorrect password, or on registration forms when you enter a username that is already taken.
  • This greatly reduces the time and effort required to brute-force a login because the attacker is able to quickly generate a shortlist of valid usernames.
  • While attempting to brute-force a login page, you should pay particular attention to any differences in:
    • Status codes: During a brute-force attack, the returned HTTP status code is likely to be the same for the vast majority of guesses because most of them will be wrong. If a guess returns a different status code, this is a strong indication that the username was correct
    • Error messages: Sometimes the returned error message is different depending on whether both the username AND password are incorrect or only the password was incorrect. It is best practice for websites to use identical, generic messages in both cases, but small typing errors sometimes creep in.
    • Response times: If most of the requests were handled with a similar response time, any that deviate from this suggest that something different was happening behind the scenes. This is another indication that the guessed username might be correct. For example, a website might only check whether the password is correct if the username is valid.