Security: Is Your Application Secure From Identification and Authentication Failures?
Table of Contents
Introduction
Is your application’s authentication mechanism robust enough? Do you know if the user accessing your application system is real or legitimate? It is of utmost importance to know and validate that the users of the application are real and that they have correct access permissions. Lack of protection in authentication and access management will lead to many security issues. These application vulnerabilities make room for an intruder or a hacker to exploit your application and steal your secure information. Additionally, intruders can gain access to your application and features which you think are secured. Attackers may steal passwords, and use session information, keys or user identity parameters to gain access to your data or system.
What are ‘Identification and Authentication failures’?
‘Identification and Authentication failures’ vulnerability, also known as ‘Broken Authentication’ vulnerability is identified as one of the top 10 most common vulnerabilities [1]. Identity and authentication are frequent keywords in secured applications.
Let’s see what these keywords mean.
Identification is the capability of a software application to identify a user or another application uniquely. Authentication is the process of confirming the user who claims to be real. The common pieces of information used for identity and authentication are user ID and password.
The ‘Identification and authentication failure’ vulnerability breaks either both or one property of the above definition of identity and authentication. Attackers are using different techniques to break into your application.
Some of the most common techniques are:
- Credential Stuffing
- Cross-Site-Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Brute force/credential stuffing
- Session hijacking
- Session fixation
- Execution After Redirect (EAR)
- One-click attack
What causes ‘Identification and Authentication failures’?
There can be many ways by which an application becomes vulnerable to a security breach. However the most common occurrences as has been reported are due to poor credential management and faulty session management. Intruders gain access to the above information assets to impersonate the real user.
1. Unhealthy Credential Management
Applications manage user credentials or system keys and secure credentials within the application boundary. There are many occurrences where credentials can be revealed to non-legitimate users. The two main reasons out of many being:
Weak Password: Many users use simple passwords that are easy to remember but not strong enough to be discrete. There are many forms of attacks such as dictionary attacks to break weak passwords. Some applications do not have a strong password policy to enforce users to use strong passwords. Modern-day computers have more computational power to do a brute force attack or rainbow attack in a shorter time for weak passwords.
Weak Cryptography algorithms: Software applications should use modern and more secure cryptography and hashing algorithms for credential management. Non-secure algorithms such as MD5 or SHA1 are leading in paving the way for information leakage. Using a more secure crypto algorithm will prevent password cracking.
2. Bad Session Management
Session hijacking is a common security issue resulting from bad session management. An intruder can steal the original session information that an application gives to you during the login process. This session information can be used by an intruder to get into the application by impersonating you. If you are a privileged user who has a higher grade of permission, the damage that an attacker can do is considerable.
Session Fixation[2] is another form of attack that can occur due to incompetent session management. In this case, the intruder has access to an already established valid session. So the attacker forces the legitimate user to do something on the application (ex: via web browser) on behalf of the intruder. The intruder may also use XSS ( Cross-site-scripting) [3] techniques to exploit the session.
Preventive actions for Identification and Authentication failures
- Use strong passwords that are hard to crack.
- Use multifactor authentication for logging.
- Lock user accounts on the specified number of failed login attempts.
- Invalidate session IDs and keep a shorter lifetime for session tokens.
- Use unpredictable patterns for session IDs.
- Do not expose session IDs in URL parameters.
- Rotate session IDs and invalidate previous session ID.
- Rotate secure credentials (keys, IDs) periodically.
- Use strong Encryption and Hashing algorithms.
- Use SSL/TLS for your web application message transportation.
Identifying vulnerabilities of an existing system is a crucial and a key task before an attack is materialized. You may launch a new software product to a wider audience over the internet, or your application is already live and is being accessed by a larger audience now. You cannot compromise your application security to any other factor because it impacts your business and most importantly, your customers.
How eBuilder Security helps you to overcome ‘Identification and Authentication failures’
The web application security scanning service of eBuilder Security can scan your application and identify potential security threats due to ‘Identification and Authentication failures’ and many more web application vulnerabilities. It also checks password strength on authentication pages. The scanning report will give you a broad understanding of your application security status and suggestions to overcome almost all the identified vulnerabilities. With our trusted expertise and proven performance over the years, we are well-placed to secure your application from unforeseen potential threats.
References
[1] – https://owasp.org/www-project-top-ten/
[2] – https://owasp.org/www-community/attacks/Session_fixation
[3] – https://owasp.org/www-community/attacks/xss/