If you are not already familiar with the concept of Weak Authentication vulnerabilities, please see the article entitled “What Is Weak Authentication ?“.
Recognizing Weak Authentication
The overall strength of an application’s authentication mechanism should be proportional to the value of the assets being protected. An application that protects highly valuable information and/or capabilities should feature a strong authentication solution like multi-factor authentication. The failure to match authentication rigor to asset value represents a Weak Authentication vulnerability.
Testing For Weak Passwords
In a white-box testing scenario (in which you are working with the application developers or owners), minimum password strength can be discerned and tested quite easily by obtaining a user account and changing the password. Applications that fail to enforce “reasonable” (in relation to the value of the assets at risk) minimum password strength (i.e. length and character set requirements) can be said to exhibit a Weak Authentication vulnerability. [Note that this may depend on application requirements, and that in their absence, this can require debate and discussion].
In black-box testing scenarios (in which you are testing in the role of a hacker without the support of the application developers), the problem is trickier because you will be trying to guess both an account identifier and the corresponding password. In this case we will want to use an automated password cracking tool that can step through a list of common account names (root, guest, admin, user1, etc.) and a dictionary of popular passwords. If a user list or employee directory is available, then the scope of the attack can be broadened. Obviously, the ability to access the application by guessing an account identifier and password is demonstrable proof of a Weak Authentication vulnerability.
Testing For Weak Password Policy
Once again, in a white-box testing scenario, it is straightforward to detect the rules regarding the constraints being enforced regarding password changes. In fact, the rules are often published and it is trivial to test their enforcement. This would not be of concern during blackbox testing, because you need to be logged in for this to be relevant and if you do manage to break in, it is a much more serious finding.
There are countless hacking tools and frameworks available to help an attacker guess a password through an automated sequence of attempts. This is called “brute forcing” because such tools will attempt all possible password combinations given a set of constraints in an attempt to authenticate. An application that does not protect itself against password cracking in some manner may be considered as having a Weak Authentication vulnerability depending the requirements and risk-level. Note that you do not have to successfully access the system for this to be a “finding”.
A dictionary attack is a type of password cracking attack in which a file of dictionary words is used as candidate passwords. Attempting to crack an account with a dictionary and popular password list(s) is a worthwhile exercise, especially since it can be carried out in the background while you do other things. The same tools used to test for popular passwords can be used here, although it will take much longer depending on file size.
Testing For Authentication Bypass
The ability to access any application feature or resource without having first authenticated represents a Weak Authentication vulnerability. Thus it is important to attempt to directly access application resources and capabilities without first authenticating. The most important application features and those exposing the most sensitive data should be attempted first.
For insight into how to avoid or fix Weak Authentication vulnerabilities, please see the article entitled “How To Prevent Weak Authentication“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.