Authentication

What is Authentication?

Authentication is the process of verifying the identity of a user or client, ensuring they are who they claim to be.

Three Authentication Factors

  1. Knowledge Factors:

    • Something you know, such as:

      • A password.

      • The answer to a security question.

  2. Possession Factors:

    • Something you have, such as:

      • A mobile phone.

      • A hardware security token.

  3. Inherence Factors:

    • Something you are or do, such as:

      • Biometric data (e.g., fingerprints, facial recognition).

      • Behavioral patterns.

Authentication vs Authorization

  1. Authentication:

    • Verifies a user's identity.

    • Answers: "Who are you?"

  2. Authorization:

    • Verifies if a user has permission to perform specific actions or access certain resources.

    • Answers: "What are you allowed to do?"

How Do Authentication Vulnerabilities Arise?

  1. Weak Authentication Mechanisms:

    • Insufficient protection against brute-force attacks.

    • Inadequate validation of session tokens or credentials.

  2. Logic Flaws:

    • Poorly designed workflows allow attackers to bypass authentication or force unexpected behavior.

  3. Coding Issues:

    • Vulnerabilities such as broken authentication mechanisms arise due to improper implementation.

Impact of Vulnerable Authentication

  • Account Compromise:

    • An attacker can access all the data and functionality available to the compromised account.

  • Privilege Escalation:

    • Compromising a high-privileged account (e.g., admin) could lead to full control of the application or even access to internal infrastructure.

  • Sensitive Data Exposure:

    • Even low-privileged accounts might provide access to commercially sensitive information or additional attack surfaces.

Vulnerabilities in Password-Based Authentication

1. Brute-Force Attacks

Attackers repeatedly guess usernames and passwords to gain access.

Indicators of Vulnerability

  • Username Enumeration:

    • Different website behaviors reveal whether a username exists.

      • Status Codes: Different HTTP status codes for valid vs. invalid usernames.

      • Error Messages: Distinct error messages for incorrect username vs. incorrect password.

      • Response Times: Slight delays when verifying a valid username.

  • Flawed Brute-Force Protection:

    • Weak account lockout policies (e.g., allowing DoS attacks via lockouts).

    • Rate limiting based solely on IP addresses, which can be bypassed with headers like X-Forwarded-For.

2. Password Reset Mechanisms

  • Email-Based Password Reset:

    • If emails are not secured, attackers can intercept or manipulate reset links.

  • Resetting via URL:

    • Attackers might modify hidden fields in requests to target other users or brute-force tokens.

Vulnerabilities in Multi-Factor Authentication (MFA)

1. Bypassing Two-Factor Authentication

  • Improper Flow Handling:

    • Users might effectively be logged in after completing only the first authentication step (e.g., entering a password) without verifying the second step.

    • Test if protected pages can be accessed directly (forced browsing).

  • Flawed Two-Factor Logic:

    • Verify if the second step properly validates the same user from the first step.

      • Example: An attacker changes the account cookie in the second step to impersonate another user.

2. Brute-Forcing OTPs

  • No Rate Limiting:

    • Test if OTPs can be brute-forced without restrictions.

  • Bypassing IP Blocks:

    • Use headers like X-Forwarded-For to evade IP-based rate limits.

    • Alternate between incorrect and correct credentials to bypass timed blocks.

3. OTP Reusability

  • Check if:

    • The same OTP can be reused multiple times.

    • OTPs remain valid after their expiration time.

    • OTPs generated for one user work for another user.

4. Tokens or OTPs in Responses

  • Analyze if tokens or OTPs are exposed in API responses, allowing interception or reuse.

Broken Login Logic

Forced Browsing

  • Test if users can skip authentication steps (e.g., OTP pages) and access protected pages directly.

Response Timing

  • If the server hashes passwords after validating usernames, response times might vary with the username's validity.

Session and Token Validation

1. Session Binding

  • Check if tokens are tied to a specific session or user.

  • Test if one user's token can be used for another user's session.

2. Token Manipulation

  • Attempt to remove tokens entirely to see if authentication is bypassed.

  • Test token reusability by attempting to use the same token multiple times.

Best Practices to Mitigate Authentication Vulnerabilities

  1. Secure Password Mechanisms:

    • Enforce strong password policies and hash passwords with a secure algorithm.

  2. Rate Limiting and Lockout Policies:

    • Limit login attempts per IP and user account.

  3. Secure MFA:

    • Validate that all steps in the authentication flow are tied to the same user session.

  4. Generic Error Messages:

    • Use consistent, generic error messages to prevent enumeration.

  5. Secure Tokens:

    • Tie tokens to specific sessions and ensure they are not exposed in API responses.

  6. Implement Role-Based Access Control (RBAC):

    • Limit account access based on the principle of least privilege.

PreviousPortswigger LabsNextUsername enumeration via different responses

Last updated

Was this helpful?