Common security issues in Authentication – Part 2

Web App Security
November 21, 2017

Welcome everyone to this second and final post of authentication testing series. In the first part, we saw the 4 major testings that should be kept in mind as a tester. But there are others also, which can pose danger if not tested properly.
Let’s go through the remaining ones.

  • Weak security Question and Answer:
    This seems interesting. You must have come across certain sites which ask for your security answer while providing the chosen question. These are used to recover “Forgotten Passwords.” Now sometimes the questions are so easy that they can be easily guesses using some amount of social engineering or it may already be known among your friends and colleagues.
    Let’s say, The security question that you chose for unlocking an account was"What is your mother's maiden name?" or "Which is your favorite Cricket team?"
  • Do you see how easy can it be to guess the answers? Not only this, but they can be vulnerable to dictionary attacks also.
    So to prevent this, there is only one thing that can be done is to have some questions that can’t be easy to guess.
    It can be something like
  • "What is your favorite quote?"
  • Now, this can be a little hard to guess and it’s not that easy to ask a person his favorite quote.
    Again something like
  • "Which was the first thing you bought from your salary?"
  • Hard to guess right?
    It is not full proof. But yes, you can’t make something 100% secure, so just try to increase the security as much as you can as a tester.
    To know more about this topic, see this post.
  • Bypassing authentication:
    This one is quite cool and seems like a hacker type thing to do.
    It means that even unauthenticated user can trick the application into thinking that they are valid users of the application or even admin. It is mostly an access control flaw.
    Suppose the application has implemented the access control in the login page only, now if the attacker requests for a confidential page via forced browsing, it may happen that the page returns a 200 OK without checking the credentials of the user.
    For example, let’s say when you access your profile, the URL address is something like this,http://transactions.xyz.com/users/john400
    where john400 is your user id.
  • Now, what if the website was build as described before and the attacker being a valid user tries to insert Admin or Administrator in place of john400,
  • https://transactions.xyz.com/users/Admin
  • It will open the profile page for the Admin. This is what is called a Direct Page Request. Just think about it and it will be crystal clear. You can change the user id to anything you want and you can see different results.
  • The other important issue is the prediction of session id value. Sometimes, the algorithm which generates the session id may provide linear results, as a result of which an attacker may be able to guess the session id which will then help him/her to impersonate the previously authenticated user.
  • Check this page for other authentication bypassing methods also.
  • Testing for Remember Password:
    It’s quite common nowadays, the browser asking to remember the password as soon as you enter the credentials.
    Now, this can be quite useful to the user. But also, this can be quite helpful to the attacker. Let’s say for example that the attacker gains control of the victim’s browser through XSS, then all the saved passwords can be retrieved by the attacker. I think you can understand that a user can’t do anything in the above case to save him/herself like choosing a hard password. All that will matter is the security of the site he/she is visiting.
    To combat this issue, as a tester you need to check if
  • The credentials are stored in a cookie.
  • verify if the credentials have been stored in encrypted form rather than being in clear text.
  • Verify that the credentials are only sent during the login page and not with every request.

So keep these tests in mind.

This is all we had in mind for the authentication attacks. There are a lot more issues but we decided to stick with the most common ones. Now about the thing we wanted to share as a user and not as a tester.

Tips for users:

  1. Choose a hard password of more than 10 characters. A combination of small, capital, numbers and special characters will be the best and harder to guess.
  2. Don’t save the password in your browser. I know it’s a pain but try to remember your passwords or write it in your personal diary where only you can find them.
  3. Change your password every 3 months or less. It’s not that hard to change a password and after some time doing it, it will feel like a habit.
  4. Don’t enter your credentials on an insecure page using HTTP. Browsers like Chrome and Firefox also remind users if they are visiting a site that might steal your credentials. So stay away from sites like that.

These are some of the basics that you need to remember as a user. There are many others but that all depends on your common sense. So this is all for this authentication testing part. Hope you learned a lot of things. Also, see the below links to learn more about different testing techniques. It’s a cheat sheet from OWASP and very useful.

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

In case you want to ask anything, feel free to comment below and we will get back to you as soon as possible.
Till then, Have a great time and Happy hacking.:)

Related posts :
Web App Security
Web App Security
January 16, 2023

A New Approach To Learn Cyber Security: VantagePoint

VantagePoint is designed to test participants' knowledge and skills in identifying and exploiting vulnerabilities by providing a variety of challenges & feedback...
Read More
Web App Security
October 12, 2017

How To Approach For XSS Hunting In A Web Application

Hi, every security enthusiast out there. In this blog, we are going to tell you how to approach to find Cross-Site Scripting…
Read More
Web App Security
March 14, 2018

Bypassing Access Control to see the private videos of a user

Hello security professionals. In the last post, we talked about the XSS finding in the recent penetration test conducted by…
Read More

Mobile App Security

Mobile App Security
April 17, 2022

An analysis of the modern mobile applications for data security

Mobile phones have become an imperative portion of our daily lives. People nowadays prefer to keep every bit of information regarding personal and professional life on their mobile phones.
Read More
Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
Mobile App Security
October 25, 2019

Awesome iOS Application Security

This is a repository of iOS Security resources and tools which can be used in iOS pentesting and security research. It’s a ...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2024, All Rights Reserved