Authentication is the way toward confirming the identity of a user by ensuring that they truly are who they claim to be. Generally by design, the Web applications are exposed to any individual who is associated within the internet. In this manner, powerful authentication mechanisms are an indispensable part of the effective web application security.
Any security imperfection produced as a consequence of the error in implementation of authentication mechanism and session management falls under the broken authentication. In simpler words, broken authentication attacks permit the perpetrator to either gain access or bypass the user authentication system of a web application.
Authentication vs Authorization
The process of Verifying whether a user is allowed or permitted to perform an action is the authorization, whereas the process of verifying a user who they really claim to be is the authentication.
Types of Attacks to Exploit Authentication flaws
- Man in the Middle Attacks — Permits an attacker to gain access to data in transit and pose as the solitary proprietor of the account. This attack can be executed by intercepting a dedicated network connection. To such attacks, even the encrypted data is helpless against the strategies of an attacker since the culprit can trick the victim into downloading a malicious certificate to decrypt the data.
- Credential Stuffing — Large numbers of breached credentials are automatically injected into the application with the help of bots until they are potentially matched to an existing account. As a result of that the attacker can hijack for their own purposes.
- Password Spraying — In Password Spraying attacks, the attacker goes around basic countermeasures such as account lock out by “spraying” the same password over numerous accounts prior to attempting another password.
- Broad based Phishing campaigns — Accessing a couple of main accounts, particularly admin accounts which can compromise the entire application.
The Root Causes of Broken Authentication
- The passwords might not be encrypted either in storage or transit.
- The URL might contain the session id and leak it in the referrer header to someone else.
- Timeouts not implemented right or using HTTP (no SSL security) & Session hijacking might be possible.
- The session ids might be predictable, thus gaining access is trivial.
- Session fixation might be possible.
- Unprotected APIs that are considered as internal.
7. Authentication susceptible to brute force attacks and credential stuffing.
Broken Authentication, After-effects
The main targets of Broken authentication are session tokens, user credentials, keys or any other entities dealing with the identity of the users of a system. The flaws in session management and authentication mechanism permits an attacker to target a specific account or a group of account holders which provides the full access to harm the victim in many ways.
- Data breaches
- Administrative access
- Sensitive Data exposure
- Expose numerous user accounts
- Identity theft
Also, it is possible to act as an impostor to malign the personal relationships of the victim and Selling the compromised credentials to the other parties.
Protecting against Broken Authentication
- Error Responses — When an authentication request fails, the error response should not be specific as the reason for failure (“Invalid password”). It should be more generic as “Invalid username and/or password.”
- Protection Against Brute-Force Attacks — Limit the number of invalid login attempts, which will discourage the attacker (disable the account for a specific period)
- Multifactor Authentication — It will make more difficult for an attacker to gain the access.
- Password Length — Generate a minimum of eight-character long strong password which makes the brute-force attacks harder.
- Password Complexity — Define your password alphanumeric which increases its complexity.
Conclusion
Broken Authentication Vulnerability is a critical issue in the event that it is prevailing in a Web Application since such loopholes can cause the Organization a large attack in terms of Data Breaches. Generally, it is simple for inspired attackers to sneak past on the grounds that even companies with enormous budgets for security often neglect these basic security defects. It is similar to barring every window in your home while leaving the front door fully open. The clearest approach to avoid this flaw is utilizing a framework since it may be able to implement this accurately, but the former is much easier and accurate.
If you any doubts feel free to ping me Fazal(fazalur rahman)
