Hey guys today, I will be talking about Authentication. This blog post will cover each and every possible vulnerability which falls under broken authentication
Difference between Authentication & Authorization
Authentication :-
The identity of users is validated during the authentication process before they are granted access to the system. Users or individuals are validated during the authentication procedure. It is completed prior to the authorization procedure. It normally requires the user’s login credentials. Authentication decides whether or not someone is a user.
Authorization :-
The authority of the individual or user to access the resources is evaluated during the authorization procedure. Users or individuals are validated during this process. This procedure is carried out after the authentication procedure has been completed. It does, however, require the user’s privileges or security levels. While it makes a difference, what rights does the user have?
Broken Authentication & Session Management Flaws :-
Finding vulnerability the both mechanism, Involves various techniques and attack. Authentication & authorization has number of different vulnerability. In will discuss few vulnerability in this blog post
Forced Browsing technique :-
The authentication model could be evaded if a web application simply implements access control on the log in page. If a user requests a different page directly via forced browsing, the page may not validate the user’s credentials before allowing access. To test this strategy, try directly accessing a protected page through your browser’s address bar. For example if the site is protected via login page http://example.com/admin/login you can try to request the dashboard page via locating https://example.com/admin/dashboard Some time it bypass the authentication mechanism
Tampering parameter
This vulnerability occurs when the application identify the authentication on the basis on fix parameter value for example yes or no. it doesn’t validate the authentication information These settings could be changed by a user to get access to the restricted regions without giving proper credentials. The “authenticated” option is updated to “yes” in the example below, allowing the user to get access. The parameter is in the URL in this case, but a proxy might also be used to modify the parameter, especially if the parameters are delivered as form elements in a POST request or are stored in a cookie. For example if the URL contain authenticated parameter. https://example.com/admin?isauthenticated=no an attacker can try to change the parameter value to yes https://example.com/admin?isauthenticated=yes . this could lead to bypass the authencation mechanism
Session Token in URL
Sometime session token may be visible in the URL, User facing which is responsible for authentication. If the session token in predictable or enumerable to numeric value only this can sometime lead to bypass the authentication to user account. If the SSL certificate is not installed an attacker in the local network can do mitm in order to retrieve the session token from GET request which would eventually lead to account takeover For example: https://example.com/user?sessionid=88477744 if such URL is visible in browser. any attacker can copy-paste the URL and can logged in
Brute forcing
Brute forcing is the one such common way to bypass the authentication. Specifically when it comes to numeric value. Brute force works like charm. If rate limit is not implemented after an invalid password attempt. It is possible to brute force the password to guess the valid one. Tools to Use for Brute force Such as Burp suite, Hydra.
JWT Mechanism
A common Understanding of JWT token is it’s used for both authentication & authorization it depends upon the application developer mindset. Here we will be discussing about the authentication flaws that exist in JWT mechanism. A well format JWT token
will look like this with 3 part of token with divided by dot. Header, Payload, Signature here is the sample token.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UiLCJ1c2VyX25hbWUiOiJqb2huLmRv
The header provides information about the token, such as the signature algorithm and the type of token (which is simply JWT). The header before encoding in this case is: { “alg”: “HS256”, “type”: “JWT”
}
The payload contains information (claims) about the entity (user) that the programme will verify. The following claims are included in our sample token
{ “name”: “Arjun Singh”, “user_name”: “Arjun.singh “, “is_admin”: false }
Finally, depending on the algorithm given in the header, we must base64url encode the header, dot, and payload before signing
the entire thing with a secret (for symmetric encryption) or a private key (for asymmetric encryption). Because the header contains HS256, a symmetric algorithm, the encoding and signing operation will be:
HMACSHA256( base64UrlEncode(header) + “.” + base64UrlEncode(payload), secret)
This generates the following signature, which is subsequently appended to the base64url-encoded header and payload (after a
dot):
fSppjHFaqlNcpK1Q8VudRD84YIuhqFfA67XkLam0_a Failure to verify to token can lead to bypass authentication & authorization to gain the access any other user. These approaches are sometimes mixed up by developers.
The signature is never validated in this situation, and the application will accept any token (in a valid format). Developers may also forget to re-enable signature verification after doing tests. Such errors may
result in unauthorised account access or privilege escalation. For example: we have token that doesn’t verify. { “alg”: “HS256”, “type”: “JWT” }. { “name”: “Arjun singh”, “user_name”: “Arjun.singh”, “is_admin”:
false }
To get escalated privileges, an attacker may deliver the following token with an arbitrary signature
{ “alg”: “HS256”, “typ”: “JWT” }. { “name”: “ Arjun singh “, “user_name”: “Arjun singh”, “is_admin”: true }
Takeaway
- For developer :- An authentication mechanism are critical function for application, the developer should make sure to tightly implement Security to avoid Broken Authentication & Session Management flaws
- For Penetration tester :- The pen tester or security researcher should lookout for what kind of authentication mechanism has been implemented. According the the scenario an action needs to be taken.