Authentication Vulnerabilities

HackersArsenal's video WhyYou Still Can’t Hack Anything (VERY SPECIFIC) hits many good points. As I watched Rana Khalil’s Authentication Vulnerabilities| Complete Guide, I was able to make connections between the fundamentals that I learned from Google’s Professional Cybersecurity course and studying for the CompTIA Network+ and Security+ to what Rana was teaching.

Tools are the most useful when you understand:

·        How data moves

·        How systems communicate and

·        Where assumptions fail

And knowledge gets rusty so I need to make it part of my routine to review the fundamentals and understand a little more in-depth, so NetworkChuck’s Free CCNA 200-301 Complete Course is now on my schedule.

An in case you need a really quick refresher on BurpSuite, check out Hacker Blueprint’s Burp suite Explained in 100 Seconds.

Before embarking on the next part of the BurpSuite Server-side vulnerabilities path, I thoroughly went through Rana’s Authentication Vulnerabilities | Complete Guide video. Here are my notes.

Authentication vulnerabilities arise from insecure implementation of the authentication mechanisms in an application.

This could be result of:

·        Business logic flaw

·        Design flaw or

·        Configuration flaw

Most common examples:

·        Weak password requirements

·        Improper restriction of authentication attempts (for example, OTP tries do not get restriction)

·        Verbose error message (you give the attacker information to go on, such as the error message changes depending on if you gave an incorrect username versus an incorrect password)

·        Vulnerable transmission of credentials (for example, the app uses HTTP instead of HTTPS to transmit login credentials)

·        Insecure forgot password functionality

·        Defects in multi-stage login mechanism

·        Insecure storage of credentials (for example using plaint text, encrypted, or weekly hashed password data stores)


Rana recommends being level 5 and up to be secure in today’s digital landscape:


Credit: https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model


Testing Weak Password Complexity Requirements

·        Review the website for any description of the password rules.

·        If self registration is possible, attempt to register several accounts with different kinds of weak passwords to discover what rules are in place.

o   Very short or blank

o   Common dictionary words or names

o   Password is the same as the username

·        If you control a single account, and password change is possible, attempt to change the password to various weak values.

Testing for Improper Restriction of Authentication Attempts

·        Manually submit several bad login attempts for an account you control. (Testing if there is brute force protection.)

·        After 10 failed login attempts, if the application does not return a message about account lockout, attempt to log in correctly. If it works, then there is no lockout mechanism.

o   Run a brute force attack to enumerate the valid password. (Tools: Hydra, Burp Intruder, etc.)

·        If the account is locked out, monitor the requests and responses to determine if the lockout mechanism is insecure. (For example, of cookies track the number of login attempts, can you change the lockout mechanism cookie?)

Important: Apply this test on all authentication pages

 

Testing the Verbose Error message

·        Submit a request with a valid username and an invalid password.

·        Submit a request with an invalid username and invalid password.

·        Review both responses for any differences in the status code, any redirects, information displayed on the screen, HTML page source, or even the time to process the request. (Tool: Burp Comparer.)

·        If there is a difference, run a brute force attack to enumerate the list of valid usernames in the application.

Important: Apply this test on all authentication pages

 

Testing Vulnerable Transmission of Credential

·        Perform a successful login while monitoring all traffic in both directions between the client and server.

·        Look for instances where credentials are submitted in a

o   URL query string or as

o   a cookie, or are

o   transmitted back from the server to the client.

·        Attempt to access the application over HTTP and if there are any redirections to HTTPS.

Testing Insecure Forgot Password Functionality

·        Identify if the application has any forgotten password functionality.

·        If it does, perform a complete walk-through of the forgot password functionality using an account you have control of while intercepting the requests / responses in a proxy.

·        Review the functionality to determine if it allows for username enumeration or brute-force attacks.

·        If the application generates an email containing a recovery URL:

o   Obtain a number of these URLS and attempt to identify any predictable patterns or sensitive information included in the URL.

o   Also check if the URL is long lived and does not expire.

 

Testing for Defects in Multistage Login Mechanism 

(Very similar to Testing Insecure Forgot Password Functionality)

·        Identify if the application uses a multistage login mechanism.

·        If it does, perform a complete walk-through using an account you have control of while intercepting the requests / responses in a proxy.

·        Review the functionality to determine if it allows for username enumeration or brute-force attacks.

Testing Insecure Storage of Credentials

·        Review all the application’s authentication related functionality. If you find any instances where the user’s password is transmitted to the client (plaintext or obfuscated, this indicates the passwords are being stored insecurely.)

Internal testing without tools:

·        If you gain remote code execution (RCE) on the server, review the database to determine if the passwords are stored insecurely.

·        Conduct technical interviews with the developers to review how passwords are stores in the backend database.

Important: Apply this test on all authentication pages

 

How to Prevent Authentication Vulnerabilities

·        Whenever possible, implement multi-factor authentication.

·        Change all default credentials.

·        Always use an encrypted channel / connection (HTTPS) when sending user credentials.

·        Only POST requests should be used to transmit credentials to the server. (Never use GET requests to transmit credentials to the server because they are transmitted in the URL.)

·        Stored credentials should be hashed and salted using cryptographically secure algorithms.

·        Use identical, generic error messages on the login form when the user enters incorrect credentials.

·        Implement an effective password policy that is compliant with NIST 800-63-b’s guidelines.

o   Use a simple password checker to provide real time feedback on the strength of the password.

·        Implement robust brute force protection on all authentication pages.

·        Audit any verification or validation logic thoroughly to eliminate flaws.

Comments

Post a Comment

Popular posts from this blog

Resources, Tips, and Techniques that Helped Me Pass the CompTIA Security+ Exam

Image
After completing the Google Cybersecurity Certificate program, the next step on my to-do list was to pass the CompTIA Security+ Exam. Exam Prep Time How long does it take to study and prep for the exam? It depends on your knowledge, experience, and background. It also depends on how quickly you can study and learn. I have seen Reddit comments that give the range from 1-2 weeks to several months.  ​ My Background I am going to be upfront and say that the Google cybersecurity program was NOT enough to pass the Security+ exam. Don’t get me wrong, it was a very informative course with lots of practical knowledge. However, the CompTIA Security+ exam covers A LOT! Also, I did not do the Network+ certification nor did I have two years of network admin experience. My background in software development and IT has mainly been in technical writing, manual QA testing, and doing computer troubleshooting and fixing for myself and friends and family. I decided to set two goals:    ...
Read more

Protecting Our Elders: A Comprehensive Look at Social Engineering Threats and Proactive Steps for Families

Image
As our parents get older we will often find our roles reversed. Us (adult) kids aren’t just tech support, now it’s our responsibility to parent our parents through monitoring their online activity and protecting them from scams. Social Engineering Scams It’s not just tech. Criminals know it is easier to trick a person than to hack a computer. From the age old ‘ don’t talk to (internet) strangers ’ to ‘ don’t click suspicious ’ links, here are the seven social engineering psychology principles scammers will use (which I learned from studying for the CompTIA Security+ Exam), the possible scams they’ll try to pull, and how to thwart or prevent the scams. Psychology Principle Scam Example (Targeting Senior Citizens) How to Thwart or Prevent the Scam Authority IRS or Social Security Impersonation: Attacker calls claiming to be from the IRS or Social Security Administration (SSA).  They state the victim owes back taxes or that...
Read more

Network+ Deep Dive: Where Firewalls, Load Balancers, and APs Fit in the OSI Model

Image
OSI Model or Open Systems Interconnect model: It is important to remember that this is a theoretical framework, meaning that it is just one way of thinking about networking. What happens at each layer? The table below shows examples of what exists at each layer, mainly hardware at the physical layer and protocols on the other layers. OSI Layers Which Headers Can Be Added at this Layer What happens on these layers Application SMTP, HTTP, FTP, HTTPS, P2P, DNS, etc. Header is added to the data (whether it is an HTTP header, SMTP, etc.) Presentation   Handles data formatting, encryption, and compression to ensure data is in a usable format for the application layer. Session   Managing and controlling connections between devices, including establishing, maintaining, and terminating sessions. Transport TCP, UDP, etc. ...
Read more