When we first hear the term “Identification and Authentication Failure”, the first thing which comes to our mind is the authentication management and identification management is not implemented properly. It occurs when functions related to a user’s identity, authentication, or session management are not implemented correctly or are not adequately protected by an application, identification and authentication failures can occur. Attackers may be able to exploit identification and authentication failures by compromising passwords, keys, session tokens, or other implementation flaws to temporarily or permanently assume other users’ identities. To avoid these vulnerabilities/issues a penetration testing must be performed frequently which can be done by ThreatScan. ThreatScan’s automated engine and fully managed manual penetration test, we test over 120+ different checklists which includes owasp top 10 and additional checks designed for your web application. ThreatScan is considered to be one of the best penetration testing as a service platform in the industry.
Examples of Identification and Authentication Failure
Credential stuffing attack
- A password database is obtained from a hacker forum by the attacker.
- Because passwords were encrypted using a weak hashing algorithm, the attacker has access to the user’s credentials.
- To test credential pairs on other websites, the attacker uses credential stuffing tools.
- The attacker knows they have a set of valid credentials if the login is successful.
Brute force attack
- Brute forcing passwords is the process of trying every possible password combination until the one that works is discovered.
- This isn’t necessary in practice. Attackers will generate a list of the most common passwords (such as ‘password’ and ‘123456789’) and use automated scripts to try each one.
- Users are more likely to choose simple passwords and reuse them across multiple accounts now that they have to manage so many different passwords. As a result, brute forcing is a simple and often effective attack.
Session hijacking attack
- The extraction of a legitimate user’s authenticated session is known as session hijacking. Once a user has logged in, the host system will usually assign them a session ID so that they don’t have to re-login for each new page they visit.
- This session ID is usually a number that is appended to the URL in the browser or a session cookie that is stored on the user’s computer. When the user logs out, it should be removed (from the session).
- An attacker can hijack a legitimate user’s session if he or she can obtain the session ID, for example by sniffing traffic. Because that user has already been authenticated, the attacker can perform any action that has been granted to that user.
Password reset functioning via header injection
- Since “forgot password” functions are linked to authentication, user accounts could be easily hacked in this way. Attackers have the ability to take over not only user accounts, but also administrator accounts. Using a “host header injection” attack, the attacker is able to obtain a normal user’s password reset token.
- The attacker can request a password reset mail on behalf of the trusted user and then he intercepts the request and injects a host header with the malicious server address.
- Since the application trusts the host header the password reset link will be pointed to the attacker’s server and when the link will be clicked by the user the password reset token will be obtained by the attacker.
Challenges with Identification and Authentication
Almost every application and technological solution that we use in our daily lives requires a login. Consider the WIFI routers you use at home, as well as the numerous devices and appliances that can now connect to that network.
Your workplace’s network is likely to be home to a wide range of devices. Most of these devices have a login system that allows them to make changes to their settings. Furthermore, these devices almost always come with default usernames and passwords that users can use to log in for the first time.
Unfortunately, these credentials are listed in every user guide and are widely known. Vendors frequently use the same generic credentials for multiple product types, which can worsen the issue. The username is still known, and the password can be brute-forced with a variety of testing tools even if the password is changed during device configuration.
How can we stay Safe?
- Make sure usernames and user IDs are case-insensitive
- Inputs and emails should be validated and verified properly.
- Allow all characters, including Unicode and whitespace, to be used. There should be no restrictions on the types of characters that can be used in passwords.
- When a password is leaked or when a compromise is discovered, ensure that credentials are rotated.
- Include a password strength meter to assist users in creating more complex passwords and to prevent users from using common or previously hacked passwords.
- In case of too many failed login attempts, lockout the accounts
- After a password reset, invalidate any previously created sessions.
- When a password is changed, send an email to the users.
- User ID and password enumeration can be done using incorrectly implemented error messages in authentication functionalities, ensure that application responds in a generic way.
- Protection Against Automated Attacks such as Brute Force,Credential Stuffing and Password Spraying
- Enable two factor authentications.
- Automated login attempts against accounts can be prevented with the use of a good CAPTCHA. It might be more user-friendly to only require a CAPTCHA after a certain number of failed login attempts, rather than requiring it from the start.
- To detect any attack intentions, all failures, including failed login attempts and account lockouts, must be logged and monitored in real-time.
- Use industry-standard authentication protocols to avoid exposing your users’ data to hackers. Such as Open Authorization (OAuth), OpenID, Security Assertion Markup Language (SAML), The Fast Identity Online (FIDO) Alliance
ThreatScan’s automated engine and fully managed manual penetration test, we test over 120+ different checklists which includes owasp top 10 and additional checks designed for your web application. ThreatScan is considered to be one of the best penetration testing as a service platform in the industry.