Web Security Researchers, Learn All You Can About Broken Authentication Flaws

All-About-Broken-Authentication-Flaws

Hey guys today, I will be talking about Authentication. This blog post will cover each and every possible vulnerability which falls under broken authentication

Difference between Authentication & Authorization

Authentication

The identity of users is validated during the authentication process before they are granted access to the system. Users or individuals are validated during the authentication procedure. It is completed prior to the authorization procedure. It normally requires the user’s login credentials. Authentication decides whether or not someone is a user.

Authorization

The authority of the individual or user to access the resources is evaluated during the authorization procedure. Users or individuals are validated during this process. This procedure is carried out after the authentication procedure has been completed. It does, however, require the user’s privileges or security levels. While it makes a difference, what rights does the user have?

Broken Authentication & Session Management Flaws

Finding vulnerability the both mechanism, Involves various techniques and attack. Authentication & authorization has number of different vulnerability. In will discuss few vulnerability in this blog post

Forced Browsing technique

The authentication model could be evaded if a web application simply implements access control on the log in page. If a user requests a different page directly via forced browsing, the page may not validate the user’s credentials before allowing access. To test this strategy, try directly accessing a protected page through your browser’s address bar. For example if the site is protected via login page http://example.com/admin/login you can try to request the dashboard page via locating https://example.com/admin/dashboard. Some time it bypass the authentication mechanism

Tampering parameter

This vulnerability occurs when the application identify the authentication on the basis on fix parameter value for example yes or no. it doesn’t validate the authentication information These settings could be changed by a user to get access to the restricted regions without giving proper credentials. The “authenticated” option is updated to “yes” in the example below, allowing the user to get access. The parameter is in the URL in this case, but a proxy might also be used to modify the parameter, especially if the parameters are delivered as form elements in a POST request or are stored in a cookie. For example if the URL contain authenticated parameter. https://example.com/admin?isauthenticated=no an attacker can try to change the parameter value to yes https://example.com/admin?isauthenticated=yes . this could lead to bypass the authencation mechanism

Session Token in URL

Sometime session token may be visible in the URL, User facing which is responsible for authentication. If the session token in predictable or enumerable to numeric value only this can sometime lead to bypass the authentication to user account. If the SSL certificate is not installed an attacker in the local network can do mitm in order to retrieve the session token from GET request which would eventually lead to account takeover For example: https://example.com/user?sessionid=88477744 if such URL is visible in browser. any attacker can copy-paste the URL and can logged in

Brute forcing

Brute forcing is the one such common way to bypass the authentication. Specifically when it comes to numeric value. Brute force works like charm. If rate limit is not implemented after an invalid password attempt. It is possible to brute force the password to guess the valid one. Tools to Use for Brute force Such as Burp suite, Hydra.

JWT Mechanism

A common Understanding of JWT token is it’s used for both authentication & authorization it depends upon the application developer mindset. Here we will be discussing about the authentication flaws that exist in JWT mechanism. A well format JWT token will look like this with 3 part of token with divided by dot. Header, Payload, Signature here is the sample token.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UiLCJ1c2VyX25hbWUiOiJqb2huLmRvZSIsImlzX2FkbWluIjpmYWxzZX0.fSppjHFaqlNcpK1Q8VudRD84YIuhqFfA67XkLam0_aY

The header provides information about the token, such as the signature algorithm and the type of token (which is simply JWT). The header before encoding in this case is: { “alg”: “HS256”, “type”: “JWT” }

The payload contains information (claims) about the entity (user) that the programme will verify. The following claims are included in our sample token

{ “name”: “Arjun Singh”, “user_name”: “Arjun.singh “, “is_admin”: false }

Finally, depending on the algorithm given in the header, we must base64url encode the header, dot, and payload before signing the entire thing with a secret (for symmetric encryption) or a private key (for asymmetric encryption). Because the header contains HS256, a symmetric algorithm, the encoding and signing operation will be:

HMACSHA256( base64UrlEncode(header) + “.” + base64UrlEncode(payload), secret)

This generates the following signature, which is subsequently appended to the base64url-encoded header and payload (after a dot):

fSppjHFaqlNcpK1Q8VudRD84YIuhqFfA67XkLam0_a Failure to verify to token can lead to bypass authentication & authorization to gain the access any other user. These approaches are sometimes mixed up by developers. The signature is never validated in this situation, and the application will accept any token (in a valid format). Developers may also forget to re-enable signature verification after doing tests. Such errors may result in unauthorised account access or privilege escalation. For example: we have token that doesn’t verify. { “alg”: “HS256”, “type”: “JWT” }. { “name”: “Arjun singh”, “user_name”: “Arjun.singh”, “is_admin”: false }

To get escalated privileges, an attacker may deliver the following token with an arbitrary signature

{ “alg”: “HS256”, “typ”: “JWT” }. { “name”: “ Arjun singh “, “user_name”: “Arjun singh”, “is_admin”: true }

Takeaway

For developer: An authentication mechanism are critical function for application, the developer should make sure to tightly implement Security to avoid Broken Authentication & Session Management flaws

For Penetration tester: The pen tester or security researcher should lookout for what kind of authentication mechanism has been implemented. According the the scenario an action needs to be taken.

About Payatu

Payatu is a research-powered, CERT-In empaneled cybersecurity consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.

Have any specific requirements in mind? Let us know about them here and someone from our team will get in touch with you.

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in few seconds

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by