Broken Authentication and Session Management

Let me tell a real life incident which happened to me in 2k14.

I was in a 3 months training session and we were given tests on every 4 days or so regarding the topic on which we were trained. Passing score was 80% and 10 questions. We found out that no matter if we pass or fail, the exam portal allowed us to go back to the test using the back button and change the answers. I changed the answers in every test and passed without fear. It was the last day and a test day as well, I was fearless and confident that I will pass the exam easily with the trick. I failed the test in the first attempt and when I clicked back button …. it did not work………

At that time it was just a trick but now I know how serious flaw this could be. What if you could log in to your bank account from a net cafe and after you log out and leave someone comes and gains access to your account using this trick. I believe that you got the notion and the severity of the issue as well.

EXAMPLE 1 – Broken Authentication – Logout Management

1sm
Screen 1 to logout of the session
2sm
logut confirmation
3sm
User is redirected to login page
4sm
magic button

EXAMPLE 2- Broken Authentication – Insecure Login Forms

2-1sm
login form
2-2sm
User tries to log in using SQL injection
2-3sm
Hard luck , refer error

 

Right click on the screen and select “View page source ”

2-4sm
Here we have the login and password

EXAMPLE 3 – Broken Authentication – Password Attacks

3-1sm
Login form
3-2sm
Intercept the request using burpsuite
3-4sm
Sending the request to intruder

Intruder tab will turn orange once the request is sent to intruder.

The highlighted portions are the attacking points.

3-5

Clear the attacking points. (right side option)

3-6sm

Add the positions again but only for username and password (shown below)

3-7sm

Choose the Attack type, here I have chosen Cluster bomb – this will try all permutations and combinations in username and password field from the payload list.

There are other attack types as well , but all differ in the combination of payload delivery

3-8sm

Choose the payload 1 – username and add the items. We can upload a list as well with the common usernames

3-9sm

Below is the list 1 and entries as well.

3-10sm

Similarly add for the password field as well.

3-11sm3-12sm

Try any combination of username and password and you will most probably see the error.. copy that.

3-13sm

Use the  options tab to check for this error

3-14sm

Start attack… you will see the output similar to the one shown below. We can see the difference in the Length shown below. Moreover there is no tick in the box which checks for the error, so no error – Brute force login successful.

3-3sm

Example 4 – Session management – Administrative portals

Some pages are restricted by the use of variables which can be changed by the user and not validated by on serer side. No ACLs as well. Below is an example of similar kind.

4-1sm
Locked admin portal
4-2sm
URL
4-3
Manipulated value
4-4sm
Unlocked page

Remediation

  • Revealing error messages – They should be generic as much as possible
  • Never hard code username/password
  • Enforce password policy
    • Min characters
    • Max characters
    • Use of special characters
    • Use of upper case and lower case
    • Username and password should not match (fully/partially)
  • Session ID handling – Never disclose it in URL
  • Use of randomly generated tokens
  • Expiration policy
    • Time based (e.g. Force logout after 10 minutes of inactivity)
    • No of filed logon attempts to be limited
    • Lockout policy to be implemented
    • Combination of time based and lockout – iPhone
  • Cookie security – Http secure and http only flags to be set
  • Force log out on browser closure
  • Handling smultaneous session logons
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s