Authentication vulnerabilities

Conceptually at least, authentication vulnerabilities are some of the simplest issues to understand. However, they can
be among the most critical due to the obvious relationship between authentication and security. As well as potentially
allowing attackers direct access to sensitive data and functionality, they also expose additional attack surface for further
exploits. For this reason, learning how to identify and exploit authentication vulnerabilities, including how to bypass
common protection measures, is a fundamental skill.

In this section, we'll look at some of the most common authentication mechanisms used by websites and discuss
potential vulnerabilities in them. We'll highlight both inherent vulnerabilities in different authentication mechanisms, as
well as some typical vulnerabilities that are introduced by their improper implementation. Finally, we'll provide some
basic guidance on how you can ensure that your own authentication mechanisms are as robust as possible.

What is authentication?

Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure
that they really are who they claim to be. At least in part, websites are exposed to anyone who is connected to the
internet by design. Therefore, robust authentication mechanisms are an integral aspect of effective web security.

There are three authentication factors into which different types of authentication can be categorized:

 Something you know, such as a password or the answer to a security question. These are sometimes referred to
as "knowledge factors".
 Something you have, that is, a physical object like a mobile phone or security token. These are sometimes
referred to as "possession factors".
 Something you are or do, for example, your biometrics or patterns of behavior. These are sometimes referred to
as "inherence factors".

Authentication mechanisms rely on a range of technologies to verify one or more of these factors.

What is the difference between authentication and authorization?

Authentication is the process of verifying that a user really is who they claim to be, whereas authorization involves
verifying whether a user is allowed to do something.

In the context of a website or web application, authentication determines whether someone attempting to access the
site with the username Carlos123 really is the same person who created the account.

Once Carlos123 is authenticated, his permissions determine whether or not he is authorized, for example, to access
personal information about other users or perform actions such as deleting another user's account.

How do authentication vulnerabilities arise?

Broadly speaking, most vulnerabilities in authentication mechanisms arise in one of two ways:

 The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
 Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely
by an attacker. This is sometimes referred to as "broken authentication".

In many areas of web development, logic flaws will simply cause the website to behave unexpectedly, which may or may
not be a security issue. However, as authentication is so critical to security, the likelihood that flawed authentication
logic exposes the website to security issues is clearly elevated.

What is the impact of vulnerable authentication?

The impact of authentication vulnerabilities can be very severe. Once an attacker has either bypassed authentication or
has brute-forced their way into another user's account, they have access to all the data and functionality that the
compromised account has. If they are able to compromise a high-privileged account, such as a system administrator,
they could take full control over the entire application and potentially gain access to internal infrastructure.

Even compromising a low-privileged account might still grant an attacker access to data that they otherwise shouldn't
have, such as commercially sensitive business information. Even if the account does not have access to any sensitive
data, it might still allow the attacker to access additional pages, which provide a further attack surface. Often, certain
high-severity attacks will not be possible from publicly accessible pages, but they may be possible from an internal page.

Lab: Username enumeration via different responses

1. With Burp running, investigate the login page and submit an invalid username and password.
2. In Burp, go to Proxy > HTTP history and find the POST /login request. Send this to Burp Intruder.
3. In Burp Intruder, go to the Positions tab. Make sure that the Sniper attack type is selected.
4. Click Clear § to remove any automatically assigned payload positions. Highlight the value of the username
parameter and click Add § to set it as a payload position. This position will be indicated by two § symbols, for
example: (Leave the password as any static value for now.)
a. username=§invalid-username§
5. On the Payloads tab, make sure that the Simple list payload type is selected.
6. Under Payload settings, paste the list of candidate usernames. Finally, click Start attack. The attack will start in a
new window.
7. When the attack is finished, on the Results tab, examine the Length column. You can click on the column header
to sort the results. Notice that one of the entries is longer than the others. Compare the response to this
payload with the other responses. Notice that other responses contain the message Invalid username, but this
response says incorrect password. Make a note of the username in the Payload column.
8. Close the attack and go back to the Positions tab. Click Clear, then change the username parameter to the
username you just identified. Add a payload position to the password parameter. The result should look
something like this:
a. username=identified-user&password=§invalid-password§
9. On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Click Start
attack.
10. When the attack is finished, look at the Status column. Notice that each request received a response with a 200
status code except for one, which got a 302 response. This suggests that the login attempt was successful - make
a note of the password in the Payload column.
11. Log in using the username and password that you identified and access the user account page to solve the lab.

Note// It's also possible to brute-force the login using a single cluster bomb attack. However, it's generally much more
efficient to enumerate a valid username first if possible.