OWASP’s #2 Web Application Risk – the Threat of and Solution to Broken AuthenticationThursday, June 21, 2018
User authentication – the process of ensuring only authorized users have access to controlled data and functionality – is the fundamental cornerstone of web and application security.
Keeping usernames and passwords secure and making sure malicious users can’t hijack a legitimate user’s session should be top of mind when designing security features; but poor implementation and user error often results in broken authentication [CWE-287] measures. Authentication attacks can be so far-reaching and severe that OWASP’s 2017 list of top 10 application security threats places broken authentication at A2; the biggest threat after injection attacks.
The risk of broken authentication is not restricted to a set attack pattern or specific application vulnerability. An application becomes vulnerable when adequate user authentication controls are improperly implemented or overlooked altogether, increasing the risk of user accounts being breached. OWASP outlines the three primary attack patterns that exploit weak authentication:
- credential stuffing
- brute force access
- session hijacking
Credential stuffing is the use of automated tools to test a list of valid usernames and passwords, stolen from one company, against the website of another company. Since users frequently use the same password on multiple accounts, attackers using this method will inevitably achieve a degree of success.
Obtaining valid passwords from the dark web is no problem. Sometimes breaches obtain user credentials stored in plain text. When Sony was breached by LulzSec in 2011, over 1 million user passwords were stolen in plaintext format.
But even if a company stores its passwords hashed, all but the strongest passwords will rapidly be cracked by the hackers using rainbow tables.
In 2017, researchers discovered a file on the dark web containing 1.4 billion compromised username and password combinations, in plain text format. These were compiled from numerous earlier breaches and made available for anyone to use.
Brute forcing passwords is technically the process of trying every different password possibility until the correct one is found. In practice, this isn’t necessary. Attackers will use a list of the most common passwords (such as ‘password’ and ‘123456789’), and try each one in turn – again using automated scripts.
With users now having to manage so many different passwords, the tendency is for people to choose simple ones; and to reuse the same password across multiple accounts. Brute forcing is consequently a simple and often effective attack.
Session hijacking is the exploitation of a legitimate user’s authenticated session. Once login is achieved, the host system will typically assign a session ID to the user so that it isn’t necessary to re-login for each new page visited. This session ID is usually a number appended to the URL in the browser, or a session cookie placed on the user’s computer. In theory it is removed when the user logs out (from the session).
If an attacker can obtain the session ID, perhaps by sniffing traffic, he or she is able to hijack the legitimate user’s session. Since that user is already authenticated, the attacker is able to perform any action allowed to that user.
The scope of the problem
The potential harm caused by broken authentication extends as far as the functionality of the compromised application. It only takes a single account with full administrative access to be compromised and the attackers have access to the entire account – or system, or network. Depending on the nature of the compromised account, attackers could gain access to highly sensitive data or open avenues for identity theft, fraud or money laundering.
Credential stuffing and brute forcing passwords are the most commonly seen attacks of this type. Verizon’s 2017 Data Breach Investigations Report estimated that 81% of hacking-related breaches made use of stolen or weak passwords. As well as giving attackers access to users’ personal data, in most cases a breach will also expose more passwords, especially if stored without hashing or other security.
Data breaches are growing year by year in severity and scope. A Gemalto study into data breaches estimated that over 2.6 billion data records were breached in 2017, across 1,765 separate incidents. In addition to exposing a user’s sensitive information, these breaches carry a heavy financial risk to businesses. A Gartner blog estimated that, even in 2011, Sony would end up paying out more than $300 Million after its users’ data was breached. John Pescatore wrote: “Almost inevitably, the costs of avoiding a security incident are less than the costs of dealing with the impact of an incident”.
Today the cost could be even higher. Losing the personal data of European citizens could invoke GDPR fines of up to 4% of a company’s annual global revenue. For large companies this could run to billions of dollars.
Users should be encouraged – sometimes forced by the application – to adopt good password policy.
Compliance with up-to-date, password guidelines is important, with NIST in particular named by OWASP. NIST’s latest proposals suggest forbidding passwords containing certain non-secure qualities, such as:
- passwords obtained from previous breach corpuses
- dictionary words
- repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- context-specific words, such as the name of the service, the username, and derivatives thereof.
“Complicated passwords frequently aggravate the password problem,” explains High-Tech Bridge CEO Ilia Kolochenko. “Users start writing them down and leaving them on their desks, use very similar passwords after every password update, or even invent one complicated global password for all their accounts.”
Both GCHQ and NIST recommend that a passphrase of three memorable words should be constructed rather than adopting a single memorable word.
Perhaps the single most important action, however, is the implementation of multi-factor authentication. Symantec estimates that as many as 80% of data breaches could be prevented by implementing 2FA.
OWASP also recommends limiting the number of failed login attempts for each user, and introducing an increasing delay between each permitted attempt, to foil brute force attacks.
Proper session management is equally vital. Any application should automatically invalidate a session token after a period of user inactivity, or if the application’s window or tab is closed. OWASP provides a detailed cheat sheet for good session management.
And finally, a note for the future: machine learning and behavioral biometrics may start to play a bigger part in application security as the technology develops. By building a profile of legitimate or expected user behavior, AI is becoming more able to identify a potential attacker based on anomalous behavior and behavioral biometrics. Gartner predicts that behavioral biometrics could eventually replace passwords altogether, saying “For example, smartphones can capture and learn a user's behavior…without the need for passwords or active authentications”. The phone effectively authenticates the user, and the application opens a session with or through the phone.