Common security issues in Authentication – Part 2
Welcome everyone to this second and final post of authentication testing series. In the first part, we saw the 4 major testings that should be kept in mind as a tester. But there are others also, which can pose danger if not tested properly.
Let’s go through the remaining ones.
- Weak security Question and Answer:
This seems interesting. You must have come across certain sites which ask for your security answer while providing the chosen question. These are used to recover “Forgotten Passwords.” Now sometimes the questions are so easy that they can be easily guesses using some amount of social engineering or it may already be known among your friends and colleagues.
Let’s say, The security question that you chose for unlocking an account was
"What is your mother's maiden name?" or "Which is your favorite Cricket team?"
Do you see how easy can it be to guess the answers? Not only this, but they can be vulnerable to dictionary attacks also.
So to prevent this, there is only one thing that can be done is to have some questions that can’t be easy to guess.
It can be something like
"What is your favorite quote?"
Now, this can be a little hard to guess and it’s not that easy to ask a person his favorite quote.
Again something like
"Which was the first thing you bought from your salary?"
Hard to guess right?
It is not full proof. But yes, you can’t make something 100% secure, so just try to increase the security as much as you can as a tester.
To know more about this topic, see this post.
- Weak security Question and Answer:
- Bypassing authentication:
This one is quite cool and seems like a hacker type thing to do.
It means that even unauthenticated user can trick the application into thinking that they are valid users of the application or even admin. It is mostly an access control flaw.
Suppose the application has implemented the access control in the login page only, now if the attacker requests for a confidential page via forced browsing, it may happen that the page returns a 200 OK without checking the credentials of the user.
For example, let’s say when you access your profile, the URL address is something like this,
where john400 is your user id.
Now, what if the website was build as described before and the attacker being a valid user tries to insert Admin or Administrator in place of john400,
It will open the profile page for the Admin. This is what is called a Direct Page Request. Just think about it and it will be crystal clear. You can change the user id to anything you want and you can see different results.
The other important issue is the prediction of session id value. Sometimes, the algorithm which generates the session id may provide linear results, as a result of which an attacker may be able to guess the session id which will then help him/her to impersonate the previously authenticated user.
Check this page for other authentication bypassing methods also.
- Testing for Remember Password:
It’s quite common nowadays, the browser asking to remember the password as soon as you enter the credentials.
Now, this can be quite useful to the user. But also, this can be quite helpful to the attacker. Let’s say for example that the attacker gains control of the victim’s browser through XSS, then all the saved passwords can be retrieved by the attacker. I think you can understand that a user can’t do anything in the above case to save him/herself like choosing a hard password. All that will matter is the security of the site he/she is visiting.
To combat this issue, as a tester you need to check if
- The credentials are stored in a cookie.
- verify if the credentials have been stored in encrypted form rather than being in clear text.
- Verify that the credentials are only sent during the login page and not with every request.
So keep these tests in mind.
This is all we had in mind for the authentication attacks. There are a lot more issues but we decided to stick with the most common ones. Now about the thing we wanted to share as a user and not as a tester.
Tips for users:
- Choose a hard password of more than 10 characters. A combination of small, capital, numbers and special characters will be the best and harder to guess.
- Don’t save the password in your browser. I know it’s a pain but try to remember your passwords or write it in your personal diary where only you can find them.
- Change your password every 3 months or less. It’s not that hard to change a password and after some time doing it, it will feel like a habit.
- Don’t enter your credentials on an insecure page using HTTP. Browsers like Chrome and Firefox also remind users if they are visiting a site that might steal your credentials. So stay away from sites like that.
These are some of the basics that you need to remember as a user. There are many others but that all depends on your common sense. So this is all for this authentication testing part. Hope you learned a lot of things. Also, see the below links to learn more about different testing techniques. It’s a cheat sheet from OWASP and very useful.
In case you want to ask anything, feel free to comment below and we will get back to you as soon as possible.
Till then, Have a great time and Happy hacking.:)