Broken authentication and Session management

Authentication is the process of verifying who you are. It is a security procedure that ensures and verifies the identity of the user.

What is a Session?  

Session is the server-side storage of user information to maintain user interaction with the web site. Servers typically generate a unique token for each connection, which is known as session ID. The session ID should be stored on the server-side and not on the client-side. 


Broken authentication :

Authentication is “broken” when the application allows an attacker to identify or bypass the authentication mechanism. Broken Authentication is in one of the OWASP Top 10 Vulnerabilities. Broken authentication is caused by poorly implemented authentication and session management mechanisms. It allows an attacker to compromise passwords, keys, session ID's or to exploit other implementation flaws to take over a victim’s account.




Common risk factors includes: 
  1. Default account 
  2. Inadequate password policy 
  3. User Enumeration 
  4. Missing Account lock out 
  5. Misconfigured Session 
  6. Misconfigured Session Timeouts 
  7. Unencrypted communication

Default account - 

It is also called as Credentials stuffing. If the application permits publicly known default credentials, it could quickly result in compromise. An attacker can create a list of default accounts and perform brute force attack to gain access to a legitimate account.

How to test :  

1.       Identify all the components of the website that may require credentials.

2.       Search for the default password for that particular component. for example - tomcat-tomcat, admin-password, root-toor etc.

3.       Try to login using default credentials. 

Inadequate password policy  - 

Password represents an important aspect of the authentication system. A simple password can be easily guessed. Generally, if the password doesn’t adhere to a strong password policy, an attacker can use brute force and dictionary attacks to discover the passwords.

Two solutions are recommended to reduce the risk of easily guessed passwords :

User enumeration -

  • Typically, web application authentication mechanism accepts a user identifier (user ID, username, email ID) and a secret (PIN, password).
  • A badly configured system can reveal sensitive information if someone enters the wrong credential. For example, a web app could reveal info about the existing user

(1) Wrong username + wrong password. If wrong username and wrong password is given, it will show the "This user does not exist" error message.

(2) Wrong username + wrong password. If the wrong username and wrong password is given, it will show the "This user does not exist" error message.

  • It indicates that entered username is valid and an attacker/malicious user can guess/ brute-force the associated password. 
  • Note that we are looking for differences in response between the two different cases (including web page’s visible content but also the URL, cookies or web page source )
The application should return normalize messages such as “Login failed, invalid username and password”. It doesn’t inform the attacker which part of the credential is incorrect and makes the calculation more difficult.

Missing Account lock out –

Account lockout prevents anyone from guessing the username and password. When your account is locked, you must wait for a set time before you are able to log in to your account again. The absence of a detection mechanism permits brute-force or other automated attacks against legitimate accounts.

Limit failed login attempts.

Misconfigured Session -

Session ID is often used to log the user into the website. If not configured correctly, it can be used to gain potential privileges by hijacking a user's session.

It includes the following vulnerable objects:

üSession IDs that are not rotated after a successful login are vulnerable to session fixation attacks.

üAn attacker may deduce/predict another user’s session ID if it is predictable and/or weakly encrypted.

üSession IDs that are not properly invalidated during logout.

üSession IDs that are not invalidated/expired after a period of inactivity.

üSession IDs exposed on the URL can lead to session fixation attack.

üUser session isn’t properly invalidated during logout

üInsecure session handling methods.

Unencrypted communication –

If the application is not implemented with HTTPS, Passwords, session IDs, and other credentials sent over an unencrypted channel. If a server communicates sensitive information, then it should only be exchanged via a secure SSL/TLS connection.


Thanks for reading :)

Keep Learning. Keep Growing :)


Comments

  1. UdeshOctober 25, 2020 at 5:47 AM

    Awesome. This is really helpful.
    Keep doing this great job

    ReplyDelete

Post a Comment

Popular posts from this blog

SQL Injection – “Let’s dump the database”

Image
  What is SQL injection? ✔ SQL injection is a code injection technique that uses malicious SQL code to access information/data that was not intended to be displayed. It can be used to obtain unauthorized access to the underlying data, structure, and DBMS.  ✔ SQL Injection attacks are one of the oldest, most prevalent, and most dangerous web application vulnerabilities. The OWASP organization lists injections in their OWASP Top 10 2017 document as the number 1 threat to web application security.  ✔ SQL injection vulnerability occurs when the application sends user input to the interpreter without sanitizing it and user input can be used to query database. SQL queries are used to execute commands, such as data retrieval, updates, and record removal. Types Of SQL Injection Attacks : SQL Injection can be classified into three major categories In-band SQL Injection Inferential SQL Injection Out-of-band SQL Injection 1) In-band SQL Injections When the attacker uses the same communication c
Read more

XML Injection

Image
  XML injection is an attack technique used to manipulate or compromise the logic of an XML application or service.It allows an attacker to inject malicious and/or unexpected input that can break XML logic. Depending on the functionality and XML usage of an application, a successful XML injection may cause unauthorized access to resources and sensitive data disclosure. What is XML? ✔ XML stands for eXtensible Markup Language.  ✔ It is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. It is  designed to store and transport data. XML is  extensible and hence can be tailored according to the application. ✔ XML uses a tree-like structure (XML Tree structure) of tags and data where tags can be user defined. To interpret XML data, an application needs XML parser, also known as the XML processor. Example : An XML document is always descriptive and can be referred as XML tree structure. XML Entities :  XML entiti
Read more

DirtyCred : CVE-2022-2588

Image
  A vulnerability in the Linux kernel that allows data to be overwritten in arbitrary read-only files. Since unprivileged processes can inject code into parent processes, this vulnerability can lead to privilege escalation.  DirtyCred is a kernel exploit concept that exploits the heap memory reuse mechanism to obtain high privilege. This vulnerability is similar to the DirtyPipe  vulnerability ( CVE-2022-0847 ) impacting Linux kernel versions 5.8 and later. The attack includes 3 steps: 1.  Free an in-use unprivileged credential 2. Allocate privileged credentials in the free memory slot by triggering a privileged userspace process such as su, mount, or sshd 3. Operate as a privileged user Exploit in action: 1.      Login to the vulnerable machine and check the kernel version “ uname -a ” {The exploit works on most Centos 8 kernels higher than linux-4.18.0-305.el8 and most ubuntu 20 kernels higher than 5.4.0-87.98 and 5.11.0-37.41} 2.      Check the current user id and /etc/p
Read more