Let me tell a real life incident which happened to me in 2k14.
I was in a 3 months training session and we were given tests on every 4 days or so regarding the topic on which we were trained. Passing score was 80% and 10 questions. We found out that no matter if we pass or fail, the exam portal allowed us to go back to the test using the back button and change the answers. I changed the answers in every test and passed without fear. It was the last day and a test day as well, I was fearless and confident that I will pass the exam easily with the trick. I failed the test in the first attempt and when I clicked back button …. it did not work………
At that time it was just a trick but now I know how serious flaw this could be. What if you could log in to your bank account from a net cafe and after you log out and leave someone comes and gains access to your account using this trick. I believe that you got the notion and the severity of the issue as well.
EXAMPLE 1 – Broken Authentication – Logout Management
EXAMPLE 2- Broken Authentication – Insecure Login Forms
Right click on the screen and select “View page source ”
EXAMPLE 3 – Broken Authentication – Password Attacks
Intruder tab will turn orange once the request is sent to intruder.
The highlighted portions are the attacking points.
Clear the attacking points. (right side option)
Add the positions again but only for username and password (shown below)
Choose the Attack type, here I have chosen Cluster bomb – this will try all permutations and combinations in username and password field from the payload list.
There are other attack types as well , but all differ in the combination of payload delivery
Choose the payload 1 – username and add the items. We can upload a list as well with the common usernames
Below is the list 1 and entries as well.
Similarly add for the password field as well.
Try any combination of username and password and you will most probably see the error.. copy that.
Use the options tab to check for this error
Start attack… you will see the output similar to the one shown below. We can see the difference in the Length shown below. Moreover there is no tick in the box which checks for the error, so no error – Brute force login successful.
Example 4 – Session management – Administrative portals
Some pages are restricted by the use of variables which can be changed by the user and not validated by on serer side. No ACLs as well. Below is an example of similar kind.
- Revealing error messages – They should be generic as much as possible
- Never hard code username/password
- Enforce password policy
- Min characters
- Max characters
- Use of special characters
- Use of upper case and lower case
- Username and password should not match (fully/partially)
- Session ID handling – Never disclose it in URL
- Use of randomly generated tokens
- Expiration policy
- Time based (e.g. Force logout after 10 minutes of inactivity)
- No of filed logon attempts to be limited
- Lockout policy to be implemented
- Combination of time based and lockout – iPhone
- Cookie security – Http secure and http only flags to be set
- Force log out on browser closure
- Handling smultaneous session logons