This information is intended for education purposes and the author is not responsible for any misuse or damage caused if tried on a system without permission.
A friend of mine came to me with a problem which am sure you may have encoutered one time or another, his clients' email had been hacked so they were blocked out of their own accounts. This article is not about how to hack or secure emails its about the problem faced by all web application desginers -Authentication.
Before we proceed lets go over the a few applied authentication methods used currently in Web Applications.
1. Basic Authentication
This kind of authentication requires that a special file .htpasswd, containing the credentials of the individuals who are authorised to access a resource, be placed in the directory which is to be secured.
2. Digest Authentication
Digest access authentication is one of the agreed methods a web server can use to negotiate credentials with a web user (using the HTTP protocol). Digest authentication is intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password in plaintext over the network. Digest authentication is basically an application of MD5 cryptographic hashing on credentials to prevent cryptanalysis.
Digest authentication was a pretty good idea but it didnot pick up as expected.
3. Forms-Based Authentication
This is by far the most used authentication method due its dynamic ability to link with DBMS and tracking of user sessions.
4. Single Sign-On (SSO) Authentication and Shared authentication Schemes
Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems.
With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.
Examples of SSO systems include Microsoft's .Net Passport which automatically logs a user into a resource if he/she is already logged into his account.
An example of a shared authentication scheme is the once much hyped OpenID which require additional sign-on for each web site though the same authentication works on several web sites.
Attacks on Web Application Authentication and tools used. Lets now delve into the details of the different etchniques used to defeat Web Application Authentication
1. Bruteforce/Dictionary Attacks
Mathematically virtually any password given sufficient computing power will eventually be cracked, bruteforce attacks mimic the act of a user trying to authenticate with a particular web application. These tools will systematically try out a list of passwords against a specific user account orlist of user accounts until a
match is found or until the list is exhuasted. There is a myth that Yahoo, Gmail, Live are impervious to hacks......but i beg to differ, if an attacker has several proxies at his disposal and an attack tool that randomises the authentication attempts he will go virtually unnoticed.
Anyway enough debates about which of the accounts is "unhackable" and lets proceed to the tools that can be used to initiate such attacks.
- Account lockout: this would be implemented if a maximum number of login attempts is recorded on a specificuser account. This can be a viable option when defending against bruteforce attacks but it can also be mis-used to carryout DOS against accounts.
- IP Blacklisting: This used to be a viable option but it was clear it could easily be used for a DOS for legitimate users with NAT devices, the blacklisting has been modified with an element of time in mind. Theoffending IP address is blacklisted for a given period of time, this would throw off most bruteforsing tools.
- Server side web application randomised delayed replies for authentication request can also be used because it can lead to most tools giving many false positives.
2. SQL Injection
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
Not only can it be used to bypass authentication but it can be used to cause server-wide or even enterprise-wide damage if conditions are right.
There is alot of information about SQL injections so i won't pretty much repeat it but here are some suggestion.
The list is small and not at all comprehensive....but they all basically revolve about filtering...period
- User input filtering
- User output filtering
- User privilege attributes (for limited access to database functionality).
- Web application firewalls.
- Parameterized SQL statements
Now all these are relative depending on your web application
This can be extremely dangerous in breaking SSO and shared authentication schemes if the attacker is knowledgeable Phishing is a very blunt form of what is known in security as a man-in-the-middle attack. The general idea is to
impersonate a website with the intent to steal important information from users. Phishing sites are distinguishable only by the hostname in the URL.
- URL scanners: Most modern anti-virus suites are bundled with URL scanners which compare URLS to known phising linksalerting a user if a malicious URL is detected.
- PhishTank: If your unsure of a particular link sent to you, you can you phishtank(www.phishtank.com) to check whetherthe link is a phishin link. The phishtank service keeps track of many phishing links on the web.
- OpenDNS: If your the lazy kind who surfs without an anti-virus or dont want to check links all the time, this is the service for you. OpenDNS is a free secure DNS service that can also help detect any malicious phishing URLs.
4. Cross-site Scripting(XSS) attacks
Cross-site scripting is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting
vulnerability can be used by attackers to bypass access controls such as the same origin policy
Again alot has been written about XSS but i will list the basic mitigation techniques but yet again the list is not exhuastive since alot of material is readily available about the topic.
- Validation, escaping, filtering.......this is the song we will sing for all web application designers...validation,validation validation...(very effective)
- Cookie security(really not viable)
- Disabling scripts(hmm.....out goes web 2.0)
- Using a web application firewall
5. Other Techniques
- Hardware Keyloggers
- Software Keyloggers
- Blended Threat Keyloggers
Now when u think you have all your bases covered some hardware of software keylogger is recording your every keystroke....i know it sucks...malware falls in many categories some steal senstive information download updated modules of themselves which information can later be used to compromise user accounts.
Some techiniques worth metioning are Social Engineering, MITM attacks.....so much as this entire article is not exhaustive, it paints the picture of various techniques used....