Professional Documents
Culture Documents
INF 203
Authentication
Often sites have restricted non-public functionality. To access this resources
user must go through login functionality. First of all, he must identify himself. But if
I’m identifying myself as Bill Gates, it doesn’t mean that I’m one. As a result, I
must authenticate, i.e., determine that I’m really who I claim to be. In real world it
would be showing a passport or driver’s license.
So, authentication is an act of confirming the identity. This process ensures
that contents are accessed only if the user has the rights to do so.
For example, we often login with username and password. In such cases,
username – is an identification of user, when password is authentication factor of
that user.
Authorization
Authorization is the function that specifying what you are able to do.
Authentication and authorization both are similar words, and often
confused for each other, so keep in mind the difference.
For example, if you are a student, and you can claim that you are a teacher and read
a lecture – you broke authentication mechanism (you verified yourself as a different
person). If you able to go into teachers lounge, where all know that you are a
student, and still put marks for recent exam instead of actual professor – you broke
authorization mechanism (you performed an action, that you normally cannot do)
The ways in which someone may be
authenticated called authentication factors. They can
be based on what user knows, owns or is. There are 3
types of factors:
• Knowledge factors – something that user knows, e. g.
Authentication password, PIN, secret question.
factors • Ownership factors – something that user has, e. g.
security token, mobile phone, bank card.
• Inherence factors – something that user is or does,
e.g., fingerprint, retinal pattern, DNA sequence,
signature, face, voice, unique bio-electric signals, or
another biometric identifier.
Single-, two- and
multi-factor
authentication
The single-factor authentication requires a user to
provide just one of the factors.
CONFIDENTIAL
Credentials over unencrypted
channel
Let’s dig into common vulnerabilities for username +
password authentication.
First of all, all sensitive data, including credentials, must
be transmitted over encrypted channel.
Because of star-topology of ethernet and wi-fi based
networks, all the hosts in the local network see unencrypted
traffic from other hosts, so sniffing is an easy option. But if it
somehow not possible – attacker still may be able to
perform Man-In-The-Middle (MITM) attack and intercept the
credentials. It is crucial for web application to use HTTPS or
other protocols with encryption.
Inadequate Password Policy
A simple passwords can be easily guessed or brute-forced, so it is
an application job to ensure that users can choose only strong
passwords.
Typing credentials each time when you are visiting a web site is an
exhausting. To avoid that, applications often introduce the
remember me functionality. It allows to remember user for a
long time after one successful login. It can be implemented by using
browser cache, by saving credentials in web storage or cookie.
The password input field must not be cached, because if attacker will
access the cache – it will easily recover passwords from there.
Especially when you are using a public computer. To be protected
from such attack, applications must disable the cache by using
autocomplete=“off” attribute.
Remember me
Application may store credentials in the cookie for
remember me functionality, or give a user session id with a
long lifetime. The first variant is bad and insecure, because if
attacker would be able to steal the cookie, it receive not
limited in time access to application, but full and as a bonus
if password was stored unencrypted will try to use this
credentials on other resources that the same user uses.
Cookie can be stolen with XSS in cases when it does not
have HttpOnly flag or with MITM attacks.
With a Web Storage situation is similar to cookie, but we
don’t have a XSS protection. Best defense is not to store
passwords on client side. And at least encrypt them if do.
Password reset feature
Users who forgot their passwords must have a way to
reset it. And surely it must be safe.
Usually, it is implemented by sending email to the
user with a new password or a password reset link.
As a first step to improve this process is to ask a
secret questions before sending the email. Answers to those
questions usually added by user upon account creation. And
they must be known only by the owner of the account, so it’s
just like another password.
Applications must suggest recommendations for it, so
user won’t choose easily guessed answers.
Logout weaknesses
Another session weakness can exist in
logout. It is can occur either when session
timed out or when user voluntarily logs
out.
On the server side, a logout is freeing up
the session data that corresponds to
session id. If server does it improperly or
not does at all, an attacker can reuse this
session after gaining a session token that
was previously used even if user have been
logged out.
CAPTCHA
•Completely Automated Public Turing test to tell
Computers and Humans Apart or CAPTCHA is a test
used by many web applications to ensure that the
response is not generated by a computer.
CONFIDENTIAL
Bypassing authorization
Lets dig into another set of common vulnerabilities that bypass authorization.
Usually this kind of vulnerabilities exist because of logical errors in application code.
First is Broken Access Control. It occurs when restrictions on what authenticated users
are allowed to do not properly enforced. As an old OWASP Top 10, this vulnerability
was divided into two: Insecure Direct Object Reference (IDOR) and Missing Function
level Access Control (MFAC). First occurred when user was able to access resources
that he wasn’t allowed to access and second occurred when user was able to perform
an action (function) that he wasn’t allowed to do. But this classification confused a lots
of people, so it was decided to merge both of them into one.
Broken access control
For resource access it usually an easy exploitation: attacker can
simply change a parameter value (such as fileID) that refers to
another object. Link can look like this:
http://example.com/download?id=101. The first thing is to try
different IDs and determine a files that not ours. If you are able to
view foreign file – it is a Broken Access Control vulnerability.
The same is for the actions, if you see a word view in URL, you
probably can change it to edit or delete and see what happens. The
same with GET/POST->PUT/DELETE verbs.