Common security issues in Authentication – Part 1

November 21, 2017

Hey, everyone. This topic of authentication testing will actually be divided into two posts as it is quite a long topic and we have to share quite a things with you all. So, in this first post, we will tell you about one of the most common vulnerability that most of the web applications have. It’s the most basic type of vulnerabilities that a company should really avoid as these can be a gateway to the administrative privileges as well as a violation of user privacy.

What is Authentication actually?

Authentication basically means verifying the identity of someone or something. In security terms, you can think it of as verifying the digital identity of the person.

Why is proper authentication testing important?

Many times, what happens is that company takes fewer measures against these type of vulnerabilities and that’s why they are in the second position of the OWASP TOP 10 vulnerabilities. There is a long list of things to be done for making the web application safer against these attacks. Let’s go through them one by one.

Testing

  • Password Policy:
    You must have seen something like this thing a lot of times."Please use a small letter, capital, and a special character to make your password"
    This is what is called a password policy. Attackers have got many lists of password files. These files contain the list of the worlds’ most common passwords. If something like a password policy won’t be in place, many normal working person or students will try to choose easy passwords such as their date of birth or their name or it can be anything which they can remember easily.
    It’s actually a normal thing. Not everyone will think in sense of security. That’s why as a tester you need to make sure that the web application is using a good password policy. It enforces the user to choose a hard password so that it can’t be guessed easily through Social Engineering. Not only this, for corporate websites there should be a mandatory change of passwords every 2 or 3 months. A good password policy can be
  • "The password cannot be less than 10 characters. It must contain a small, capital, a number, and a special character".
    Now this kind of password will take a lot of time to be hacked. But yes they can also be hacked so try to keep the password as long as you can.
    Also, as a tester check if common passwords have been banned. So the first thing is to prepare a strict password policy.
    Take a look at this page for further details.
  • Test if the credentials are transported securely:
    A strict password policy won’t matter if it is not transported securely. Many websites even now are using HTTP at the login page. Now the attacker can get a chance to sniff the data being sent by the browser to the web server. All the details sent on an HTTP page is just plain text. It will mean complete privacy violation of the user. An attacker will thus get the user’s password and can do what he wants. If you can’t relate it to something major just think,"What can someone do if they have my Facebook's username and password?" .;)
    Easier to guess right? From bad to worse.
  • That’s why it becomes important that the details are sent over HTTPS(supporting TLS because SSL versions are also not secure). HTTPS encrypts the details so that even if someone gets it, it will just be garbage details. So a tester needs to check if the user details are being sent through an encrypted channel or not.
    Take a look at this link below for reading in depth about this.
  • Default credentials:Now, these can be called the dumbest mistakes. Admins having the username and password as Admin:admin, people leaving their router password to be default are just waiting for malicious people to hack into their accounts. A tester needs to check for default credentials. This is quite a common mistake with system administrators.Not only this, many times web app developers write the password in the comment section which you can find in the source code. Do you realize, how much effect will it make if you can just break into the database accounts of Microsoft’s server? Don’t worry, Microsoft has better security than this. We were just giving an example of how lethal the damage can be to a company. So as a tester better check for this because passwords like password, passwd, letmein, pass123 are quite common ones among the developers.;)
    Check out this page of OWASP to learn more about testing for Default Credentials.
  • Testing for weak lockout mechanism:This is an important part of testing. Let’s suppose a tool takes a list of passwords and keep brute-forcing the password on the login page. At some point in time, the tool will eventually break the password. Not only this, many attackers try to do it manually by inserting different passwords that are commonly used or guesswork through social engineering. Now how to stop it?The easiest solution for this is to choose a good lockout mechanism. A tester can try brute forcing on their account and if even after countless attempts the application doesn’t lock you, you need to consider it as a vulnerability. A good lockout mechanism can be that after 5 unsuccessful login attempts, you will need to wait for 30 mins or so to again try logging in. Now this will be a greater hindrance to password brute forcing.
    Also, it might happen that an attacker knows a username and tries guessing the passwords, which in turn locks the valid user from using his account. Now, this can be a major problem for a valid user. So there should be a way of telling the user, how to unlock the account on the registered email or phone number.
    Have a look at this page for further details.

Now, these 4 are the most important things to test in the authentication testing. We will be keeping it short so that you can focus on learning more about these 4 and take appropriate countermeasures.
We will discuss the other ones in the next part. Also, we will be sharing some of the things that you should most probably do not as a tester but as a normal user.

So take a look at these attacks as these are easier to test amongst other vulnerabilities.
Feel free to comment below if you didn’t understand anything or have any queries.

Till then, Keep Learning and go Start Hacking now..!!!