One of the OWASP Top 10 vulnerabilities is Weak Authentication and Session Management. This entry is not always clearly understood as it actually refers to two large categories of web-application vulnerabilities. In this article, we examine vulnerabilities related to Weak Authentication.
What Is Authentication ?
“Authentication” refers to the process of proving an identity to an application or system. That is, the task of demonstrating that you are who you claim to be. In software systems, this usually means providing a password for a corresponding user or account identifier. While this is the most common means of proving one’s identity to a system, it is not the only one. In the interests of illuminating the larger landscape, we will introduce other means of authentication:
Knowledge-based Authentication
This approach relies on knowledge that only the genuine user would have. A password is an example of “something you know”. Assuming that the password is kept confidential by the user, it can serve as a means of authentication. Secret questions also fall into this category. We explore potential weaknesses in this approach below.
Possession-based Authentication
This approach relies on the fact that only the genuine user would be in possession of the artifact needed to authenticate. Assuming that the artifact is kept secure by the user, its possession can be used to vouch for the user. Key fobs that generate codes, and codes sent to your mobile-device are examples of possession-based authentication. Physical keys can also be used in this manner. The ability to access an email account registered with the application account is also an implementation of this technique.
Identity-based Authentication
This is about the aspects of the user that are unique and cannot be counterfeited. In contemporary systems, this typically means a biometric reading of some sort, such as a fingerprint, iris scan, voice-print, etc. that is compared to a base reference.
Single, Two-Factor, and Multi-Factor Authentication
These terms refer to the amount of evidence that must be presented to authenticate. Single Factor Authentication requires a solitary item of evidence, most typically a password in software systems. Note that an Id Badges, a driver’s license, or a passport can serve a similar purpose in daily life. Two-Factor authentication is a combination of two “forms” of authentication, such as knowledge-based and possession-based. Multi-Factor authentication solutions combine three or more methods.
Risk-based Authentication
This describes an adaptive approach to authentication that escalates the identity challenges to the user in response to:
- Their situational conformance to a “usage” profile that is developed and maintained by the application. This includes information used to identify the user such as typical usage timeframes, common operations, ip addresses utilized, geo-location, browser fingerprint etc.
- Attempted access to highly sensitive features or information.
The application using risk-based authentication may demand additional authentication factors in response to deviations from the usage profile and/or to protect sensitive operations.
What is Weak Authentication ?
The more difficult an authentication mechanism is to defeat the stronger it is. Clearly the authentication strength of a system should correlate to the value of the assets it is protecting. Two-Factor and Multi-Factor Authentication solutions are appropriate for systems that deal with highly valued assets.
Weak Authentication describes any scenario in which the strength of the authentication mechanism is relatively weak compared to the value of the assets being protected. It also describes scenarios in which the authentication mechanism is flawed or vulnerable.
Password Strength
The “strength” of a password is related to the potential set of combinations that would need to be searched in order to guess it. For example, a password scheme with a length of two characters and consisting only of digits would represent a a search space of 100 possible passwords (10 x 10), whereas a 12 digit password would represent 1012 possible combinations. The larger the set of possible combinations, the harder it is to guess and the stronger the password.
Thus, the following factors influence password strength:
- Length: The number of characters in the password. The greater the length, the greater the strength.
- Character Set: The range of possible characters that can be used in the password. The broader the range of characters, the greater the strength. It is typical for strong password schemes to require upper and lower case letters, digits, and punctuation characters.
Password Policy
Password Policy describes the rules that are enforced regarding password strength, changes, and re-use. An effective password policy supports strong authentication. It is generally accepted that the each of the following will increase the integrity of the authentication process:
- Periodically changing the password for an account makes it less likely that a password will be compromised, or that a compromised password will be used. This is termed password expiration.
- Prohibiting the re-use of the same (or similar) password to the one being changed will prevent password expiration from being circumvented by users.
- Enforcing minimum strength rules for passwords will guarantee application compliance with Password Policy.
- Prohibiting dictionary words and/or popular passwords will make password cracking less likely.
- The use of secret questions to further demonstrate identity.
The more of these rules that are enforced, the stronger will be the authentication mechanism,
Password Cracking
There are countless hacking tools and frameworks available to help an attacker guess a password through an automated sequence of attempts. This is called “brute forcing” because such tools will attempt all possible password combinations given a set of constraints in an attempt to authenticate. An application that does not protect itself against password cracking in some manner may be considered as having a Weak Authentication vulnerability depending the requirements and risk-level.
Dictionary Attacks
In addition to brute force attacks, password cracking tools also typically have the ability to test a file of candidate passwords. This is called a dictionary attack because the file used may actually be a dictionary of words. Passwords that can be found in a dictionary are considered weak because they can eventually discovered using a dictionary attack. An application that allows dictionary words as passwords may be considered as having a Weak Authentication vulnerability depending the application requirements and risk-level.
Popular Passwords
Since passwords are usually freely chosen and must be remembered, and given that humans are lazy, passwords that are easy to remember tend to be more popular than those that are not. In fact, some passwords become very popular and are used far more frequently that might be expected. Although the most popular entries change over time, you can always find a “top-N” list somewhere, like here, or here, or here. Clearly it is in the user’s best interest to avoid the most popular passwords.
An application that allows popular passwords may be considered as having a Weak Authentication vulnerability depending the application requirements and risk-level.
Authentication Bypass
The whole purpose of authentication is to ensure that only authorized users gain access to the application capabilities and the information it contains. It is essential therefore that the system verifies the “authentication status” of the user for every user action or request before it is carried out. The ability of a user to access any application feature or resource without having first authenticated represents a Weak Authentication vulnerability.
For insight into how to detect Weak Authentication vulnerabilities, please see the article entitled “How To Test For Weak Authentication“.
For insight into how to avoid or fix Weak Authentication vulnerabilities, please see the article entitled “How To Prevent Weak Authentication“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.