Secure Software Development -Authentication

Authentication

Featured image

First, we will go through various Authentication vulnerabilities, their causes & preventions & some potential hazards.

What are Authentication vulnerabilities?

The “Authentication” vulnerability groups weaknesses that have to do with keeping the overall user authentication process secure. Failure to do so can result in the takeover of user accounts.

What causes Authentication vulnerabilities?

Let’s look at some examples, first let’s go through a “Information Leakage”

In this scenario, an attacker tries to guess existing account names by submitting common login names on the login page. When the user name doesn’t exist the web server displays the message: “Account does not exist”. But when the user does exist the web server returns a different message: “Wrong password”. Because of the different responses, the attacker is able to determine the username of the existing ‘admin’ account. He can now start to attack the user’s password.

Second example, explanation of security breaches as a result of a weak password policy, and no lockout mechanism. In this scenario, an administrator of a site has set an easy to guess password. This was possible because a lax password policy has allowed it. An attacker tries to guess the password of the administrator account using a password list. Because no lockout mechanism exists, the attacker can try all possible passwords from the list. After a few guesses, he finds a matching administrator password. He can now control the web application or something. Not a good scenario! 😟

Weakly implemented controls allow attackers to guess user account names and allow for the guessing or cracking of passwords. User and administrative accounts could be taken over, including privileged accounts. With a stolen account, the attacker could do anything the victim could do. Due to account theft, sensitive end-user or customer data could be stolen, leading to reputational damage and revenue loss. And a stolen administrator account could lead to disruption of the website, causing loss of customers and revenue.

Implementing strong authentication controls are required to protect against authentication vulnerabilities.

I hope you found this article useful. You can contact me here for your suggestions and thoughts about the series.