2 Most Common Authentication Vulnerabilities in Web Applications
Attacks on web applications are an all too common occurrence these days. Amazingly, the threats from where the attacks are directed aren’t always external; internal threats are just as real and very dangerous in their own rights. As a result, companies spend millions shoring up the security of their web applications. Despite this, a well-targeted attack can easily break through the security barriers; just ask Sony about the attack on their PlayStation Network in April 2011. They key to deploying a fool-proof system lies in identifying the existing problems correctly. In order to fix anything, you first have to accurately know what is wrong with it. Many times, the web application’s security vulnerability lies in the authentication process. The 2 most common authentication vulnerabilities that you should keep an eye out for are broken authentication / session management and insufficient transport layer protection.
Broken Authentication and Session Management
The way a web application is able to handle the authorization process and the subsequent active session goes a long way I helping prevent “drive by” attacks from internal and external threats. When it comes to credential management, there is a number of features that can fall susceptible to attacks, including simple functions like ‘remember password’ and ‘forgot username and password’. Unless a web application is being used by mega-corporations, chances are that the application developers have decided to forgo very expensive hardware or software based authentication systems in favour of the good old username-password combination system.
Combating Broken Authentication and Session Management
A very simple way to combat this menace is to ensure that there is a re-authentication process before any account management functions can be carried out. Keeping track of the stream of requests from users is a great way to counter this problem and it is not uncommon to find web applications that establish sessions for that very purpose.
Insufficient Transport Layer Protection
Ask any security expert to name a common flaw in web applications and chances are they will talk about the manner in which web applications do not protect network traffic. All the focus on providing proper security usually seems to be directed at the authentication process, leaving unencrypted data free to be intercepted. A very common reason why this occurs is the lack of SSL encryption on the right pages. Many applications only use SSL during authentication and for other very important pages, but forgo it for every other page.
Combating Insufficient Transport Layer Protection
For other authentication errors, a thorough investigation is required to detect even the smallest of flaws. However, all you have to do in order detect a basic insufficient transport layer protection error is to monitor the network traffic. Other flaws may require more in-depth investigation, but rarely does one have to dig deep into the server or application configuration. SSL should be used on any and all pages that contain important information and non-SSL requests to these pages should be redirected to the SSL page.
The OWASP Top 10 lists both these issues as very common security flaws in web applications. Thankfully, they are not that hard to detect and fixing the problems is often more a question of common sense than, that of technical ability.