Modern web applications frequently have some form of authentication to services accessible internally. This authentication is meant to keep malicious actors from reaching data they should not be able to find and ensure that users can access their data safely. With many different accounts, there is the bonus of separating user data and ensuring that each person is only accessing what they should be able to access. Due to the heavy lifting that authentication mechanisms do, they are often a prime target for attackers looking for easy access to a sensitive application.
Credential Attacks
Credential attacks are prevalent and very easy for attackers to perform. At the highest level, this simply involves attempting to log in to the application and compromise an account. In practice, this is much more complex, and there are typically several different strategies employed by hackers to find greater success. Each application is different, and as a result, each application has a unique attack surface to be analyzed.
A very common attack is credential stuffing, where known valid credentials for a certain user or service are used to target an application. This can range from default passwords for an appliance to user credentials identified in a previous data breach. Credential stuffing can be extremely successful due to the human tendency to reuse passwords and aim for easy-to-remember passwords. It is pretty easy to remember what the password for the printer is when all you have to do is Google it, but unfortunately, hackers will do the same.
Another common approach is brute forcing. This can either be done by attacking a single account with multiple passwords, or by attacking multiple accounts with a single password. The latter is typically more successful, as it will bypass lockouts (if any) and set off fewer alarms than a single user attempting to authenticate thousands of times. This is not to say that pure brute forcing can’t lead to good results, as it often will be fruitful for attackers if a weak password is set.
The main way to defeat credential attacks is multi-factor authentication, or MFA. Users should have a second factor in place any time they are authenticating to a sensitive service or anywhere that critical data is processed. Even just seeing an out-of-place MFA prompt should be enough to alert users that something is wrong and they should seek out assistance. It is also to ensure that application logins are properly configured to disallow brute force attacks.
Injection Attacks
Injection attacks occur when the mechanisms to validate logins against known credentials can be manipulated to return a value of the attacker’s choosing. This is typically done by intercepting a pre-built query to a database service and redirecting the logic flow to return a positive response no matter what. There are many different tools and protocols in place for validating logins, so each attack must be made based on the unique environment under test.
The most well-known of these is SQL injection, where SQL statements are manipulated to achieve a desired result. The basic flow of SQL queries checks if there is a login in the main database where the supplied username and password match an entity on the table. This can be redirected to instead check for something that is always true, such as if there is a matching username and password combination, OR, if 1 + 2 = 3, which is always going to be true.
Injection attacks, in general, can be defeated by sanitizing any data that a user passes into the application. Characters that are common for various types of injection should be escaped, and known bad strings should be blocked completely from the application. With how many different types of injection attacks there are, it is important to understand what data needs to be checked based on the individual environment.
Broken Access Control
While not technically an attack against authentication, broken access control is still relevant and dangerous. Currently, this vulnerability is the number 1 bug on the OWASP Top 10 list. Broken access control is when resources are not properly restricted through restrictive controls. This can be from an authenticated perspective, such as one user reading another user’s data, or an unauthenticated perspective, such as an unauthenticated malicious actor being able to read a restricted dashboard.
Each case of broken access control is unique and needs to be remediated in its own way. Developers should work around identified vulnerabilities and try to fix broken functions with the intended access restrictions initially desired. These vulnerabilities can be difficult to identify, so having clear procedures in place to find and fix them can be a good idea. Reaching out for the assistance of a security professional can help ease this process.
The team of penetration testers at Blue Goat Cyber is prepared to help secure all parts of your application. We are highly experienced in identifying vulnerabilities and working with your team to get them fixed as quickly as possible. Reach out to us to begin the process of making your application secure.
