Top 10 Security Risks to Web Applications: #2 Broken Authentication
By Peter Halpern,
In Part #1 of this Ten Part series discussing the OWASP Top 10, Injection was discussed. As a refresher, injection is simply the input to a web page from a source that does not follow the ‘intended’ rules of what is expected, and that entry is made for the purpose of performing a command against a system. In discussing broken authentication, you will notice how injection is a primary method for performing attacks regarding authentication.
Number Two on the OWASP Top 10 list of threats to web applications is broken authentication. Broken authentication takes on a few possibilities when discussing websites, but the essence of the issue is this: impersonation. When an attacker uses impersonation tactics, their goal is to attain someone’s credentials for the website, or the session a previous user had but did not close out properly.
So let’s break these two down and understand what they are, how hackers manipulate them, and prevention tactics.
Usernames, Passwords, and Credential Theft
The most basic credentials are the username and associated password. Unfortunately, it’s common for people to use either weak password choices and/or the same passwords across not only multiple websites both personally and professionally. This type of password re-use leads to a problem if an employee is using personal credentials that have already been stolen for work accounts, those credentials could be used to gain entry and take over that person’s professional accounts. This was documented in a Google research paper in 20191.
Source: Google / Harris Poll Oct. 2019
WEAK PASSWORDS – EXAMPLE 1:
|Online Music Account||ph2021||1mportant%|
|Social Media Account||ph2021||1mportant%|
|“Our Biggest Customer”||ph2021||1mportant%|
While this person ‘thinks’ a secure password is in use, since it uses a combination of numbers, letters, and symbols, it’s used everywhere. If it gets stolen from one site, attackers will attempt to use it on other sites.
Imagine the damage which could occur if the social media account was hacked, and then the attacker used those same credentials to gain access to “Our Biggest Customer.” This type of attack is called “credential stuffing”. In credential stuffing, pairs of breached usernames / passwords are used against other digital assets to gain access.
In the previous example, the password wasn’t simple, but it had issues. Imagine if that same user decided that ‘Passwords are too hard to remember, I’ll keep it simple.’
WEAK PASSWORDS – EXAMPLE 2:
|THE ABC Company||Username||Password|
|John D. Manager||manajod||Ectoplasm1!|
|Karen A. Consultant||counkaa||DontBeAKaren1!|
|Philip F. Urlaughs||urlaphf||IAmFunny1!|
|Felica S. Azby||azbyfes||PazzwordForTheWin1!|
In this case, all of the passwords, except one, are based on correctly spelled words. Also, notice a common theme. The users were probably required to add a number and symbol to their password, but they all chose the same number and character! And they all chose the number 1 and an exclamation point, which is just a shift-1.
Utilization of simple words or phrases in passwords are great for attackers as it makes their job of breaking into an account that much easier. For the attacker, by utilizing a single password against multiple accounts, the ‘password spray’ process is used until one of the accounts works. And like a key it can unlock the front door of the organization’s data stores.
Password Spraying is a form of brute force attack where the purpose is to use the same password on multiple accounts, or possibly all accounts. This also helps the attacker evade a password lockout, if enough time passes between the attempt and the next attempt. The attacker is not attempting five passwords on one account at a time, but rotating through as many accounts as possible. Once this is completed, the process is repeated with a new password against the list of usernames again. By taking their time in attempting the breach, with reliance on the normal user having legitimate logins in the meantime or enough time passes, multiple attempts on an account may not generate an alert. In either case, this breaks up the incorrect authentication alerts and reduces the chance of an account lockout.
The Best Defense Against Credential Theft
The number one thing to halt attackers in their tracks regarding passwords: a strong password policy. Organizations that implement a strong password policy in their security program can help prevent threats that arise from employees who use the same passwords in their personal and professional lives. A strong password policy goes beyond mandating the length and complexity of the password; it also includes requirements on the frequency of password resets and utilization of multi-factor authentication. There are various password vaults on the market to make password management easier. These mainly fall under the category of Single Sign-On (SSO). SSO allows for users to have one difficult password, which is then used for authentication, and from there the accounts can be accessed.
To further the difficulty level, add another form of control: MFA (multi-factor authentication). MFA is based on having 2 or more of the following questions answered by the user:
- What you know (password or PIN)
- What you have (physical token, smart card, or identification device)
- What you are (biometrics: facial, retinal or fingerprint recognition)
When logging into a website, a ‘session’ is started, where the activity is kept via a cookie. So, when a tab is closed, it closes the session, right? Not necessarily.
Later that day or even a week later, a user could return to that same page without having to authenticate again. This is where session IDs and cookies can leave valuable information vulnerable to attack, and here is where the problem lies in session management.
A person’s information, no matter how innocuous one feels it is, is a veritable treasure trove to a hacker. What if that user left their email account session ‘open’ on a publicly accessible computer? How much personal information would an attacker know? The more data an attacker attains, the greater the chance of other styles of attacks being used against that person. Once enough personal identifiable information (PII) is attained, attackers have a lot of power.
If this happened on a public computer, and the next person could go to the history of the previous user, that person could see where the previous one went, and continue on the site where the previous user left off. At that moment, impersonation took place. Also, adding to this dilemma, the common password issues described above. Based on what was read here, now you can see the problems which can easily arise. This is why session management is just as important as how an organization handles credentials.
Control Session Management (with an Unfortunate Caveat)
Yes, there is a simple way to control sessions like this: close the session once the tab or browser is closed, or a logoff occurs. And, yes, that would solve the problem, but it could make system usage a major headache for certain users. Below is a simple example:
|Internal “customers” ie. employees||External Customers ie. your clients|
|Needs longer session management||Needs shorter session management (An example: Banking phone apps)|
|Has to access multiple accts while still updating a note or record for another account from the last phone call, each account in a separate tab which required a new session.||If there is no user input for a period of time, a logout process is initiated|
|Has to open multiple accts at one time (client with personal, business and other relationships), each may need a new session depending on the web application, but still using information on the customer and logged in with the same credentials.||Once the user closes the app, tab or the browser, the session is closed|
It is not so simple as ‘just close the session’.
How to Defend Against Broken Authentication
Solving for broken authentication comes down to properly programming the website. All of the security processes in the world cannot protect users from poor coding. Thus, solving the problem happens from the programmer side, as well as the end user side.
First, from a programming perspective, session management is the major area of concern. Protection against attacks pertaining to account enumeration will take the form of the same messaging for output from registration, credential recovery, and API pathways, and it will alert administrators to credential stuffing and brute force attacks. To further enhance the security posture, limiting and delaying the ability to use more login attempts once a certain number of failed authentications occurs.
Additionally, have new, random session IDs (server-side) generated for each login. These should not be viewable from the URL, as this is akin to using a cleartext password that any attacker sniffer traffic can see. Once the session is ended by either logout, timeout, or being in an idle state, the session ID must be invalidated.
Second, from an end user perspective, there are things one can do for one’s self and their organization to increase the level of protection.
One of the best ways is to make changes to how your web browser handles security and privacy. Typically, these changes can include:
- Implementing Multi Factor Authentication (MFA)
- Using Identity and Access Management software to create a strong password and test for weak passwords
- Clearing browser data upon exiting a tab or the application. This can be used to clear: history, cookies, cache and other items.
- Blocking of cookies
- Using Site controls whereas specific aspects to what a site can and cannot do are decided by you
- Limiting the amount of time that an organization’s web server user session can be left open
On one’s personal devices, you can use a protected mode (i.e. Google’s Incognito mode), which can then automatically block cookies.
How Can Deepwatch Help Defend My Organization?
Deepwatch uses an innovative, hi-touch Squad delivery model to protect and defend customers. Each Squad is dedicated to specific customers and triage the issues mentioned above to alert your organization of possible incursion by an attacker. These alerts are quite frequent against organizations, but to define within the organization which ones are truly worth examining requires resources and hours on the clock. Routinely, issues such as brute force, password spraying, man-in-the-middle attacks are examined by Deepwatch Squads. Since Deepwatch handles these, and a multitude of other security concerns, your organization’s security team is free to handle internal items they normally work on, as well as items Deepwatch escalates. This saves countless hours of triaging by your team, which translates into a more efficient utilization of your security team and cost savings against the budget.
Interested to learn more? Read about Deepwatch Managed Detection and Response services or contact us to speak with an MDR expert.