Authentication and identification failures are once again a hot topic when it comes to web application security. Known as “broken authentication” in the 2017 OWASP Top 10 list, identification and authorization failures have fallen from #2 in 2017 to #7 in the OWASP Top 10 for 2021. That said, broken authentication is still a major issue for companies and organizations. During web application penetration tests, we will often come across authentication and authorization issues. But what are authentication and authorization, and how do they differ?
Table of Contents
Identification and Authentication vs Authorization
Identification and authentication, is the process of validating that a user is who they claim to be. This validation could be performed with one or more methods including passwords, one-time pins (via SMS or email), authenticator apps or by using biometrics.
Authorization is the process of validating that the user (who has previously been authenticated) has permission to perform a particular action. This action could be the viewing of data, or of creating/updating information.
Common identification and authentication failures
There are several different identification and authentication failures that can jeopardize the security of websites and applications. A few of the most common include:
Lack of anti-automation controls
Lack of multi-factor authentication
Unprotected username storage
Having the username stored in a cookie that is accessible to the client without the value being protected can also cause issues. If there is no encryption on the session ID, an attacker can change the parameter to that of another user to gain access to the system. It is advisable to only store the user details on the server and use an ID value to identify the user on the client side. The client-side session cookie should be suitably protected with the use of the HTTPOnly, Secure, and SameSite cookie attributes.
Techniques used to exploit authentication failures
Attackers use a range of techniques to exploit identification and authentication failures. These can include:
- Brute force/credential stuffing
- Session hijacking
- Session fixation
- Cross Site Request Forgery (CSRF)
- Execution After Redirect (EAR)
Credential stuffing
Session hijacking
Session hijacking attacks happen when an attacker takes over your internet session, usually by targeting browser or web application sessions.
Generally, what happens is that a person logs into an account, typically a bank account, online store, payment portal, etc. The website then installs a temporary “session cookie” in the browser which allows the user to stay logged in and complete their business. A cyber criminal can hijack this session by gaining access to the user’s valid session, often by stealing the session ID within the session cookie. Once the true user leaves, the criminal can continue to act as the user allowing them to make transactions, steal credentials, and more.
Session fixation
Session fixation attacks are similar to phishing attacks in that the victim often unsuspectingly clicks on a malicious link. With session fixation, the attack begins before a user even logs into to a site or web application. The attacker will often embed a session token into a URL, hidden form field, or cookie, logging the user into a legitimate session. They will input their credentials which will then be associated with the session ID. The attacker, knowing the session ID, can access the user’s account.
Cross Site Request Forgery (CSRF)
Cross site request forgery uses social engineering to trick the user to submitting an unwanted action or malicious request. This type of attack assumes the identity and authorization of the victim to perform actions which cannot be distinguished by the website as forged. This type of attack can use GET, POST, or other types of HTML methods to unknowingly cause the user to transfer funds, change their email address, or take other actions.
Execution After Redirect (EAR)
Execution After Redirect (EAR) attacks allow an attacker to ignore a redirect and retrieve sensitive content intended only for authenticated users. This type of attack can lead to DoS server attacks, IP address spoofing attacks, and can allow the attacker to obtain administrative functionality.
Conclusion
Identification and authorization failures can cause serious issues for web application developers and users. One of the best ways to ensure your applications and users remain secure is through regular web application penetration testing. At Foresite, our team of security experts have the knowledge and expertise to uncover these potential vulnerabilities helping you to create a safer, more secure environment.
