M5: Poor Authorization and Authentication
Learn about the risks of poor authorization and authentication in web applications. Find prevention measures and example attack scenarios to protect your systems.
Overview
This article discusses the risks associated with poor authorization and authentication in web applications. It highlights the common vulnerabilities and their impact on security and business. The article also provides prevention measures and example attack scenarios.
Description
Poor authorization and authentication in web applications can lead to severe security risks and business impacts. This vulnerability allows threat agents to exploit authentication vulnerabilities and bypass authentication, gaining unauthorized access to sensitive functionality. The technical impact includes the inability to identify the user performing an action request, leading to a failure in logging and auditing user activity. Additionally, poor authorization can result in over-privileged execution of functionality, potentially causing destruction of systems or access to sensitive information. The business impacts of poor authentication include reputational damage, fraud, and information theft. To prevent poor authorization and authentication, developers should re-enforce authentication controls on the server-side and implement integrity checks within the mobile app's code. Furthermore, developers should avoid storing data locally and ensure that all authentication requests are performed server-side. It is important to utilize device-specific authentication tokens and avoid using spoof-able values for authentication. Persistent authentication should be implemented as opt-in and not use 4-digit PIN numbers for authentication passwords.
How to Prevent ?
To prevent poor authorization and authentication, developers should re-enforce authentication controls on the server-side and implement integrity checks within the mobile app's code. Furthermore, developers should avoid storing data locally and ensure that all authentication requests are performed server-side. It is important to utilize device-specific authentication tokens and avoid using spoof-able values for authentication. Persistent authentication should be implemented as opt-in and not use 4-digit PIN numbers for authentication passwords.
Example Attack Scenarios:
Unauthorized Functionality Execution: Developers assume that only authenticated users will be able to generate a service request that the mobile app submits to its backend for processing. However, the server code does not verify the incoming request's association with a known user, allowing adversaries to anonymously execute functionality that affects legitimate users of the solution.
Remote Administrative Functionality: Developers assume that only authorized users will be able to see certain functions on their mobile app. However, the backend code does not verify the identity associated with the request, allowing adversaries to perform remote administrative functionality using low-privilege user accounts.
Password Deduction: Due to usability requirements, mobile apps allow for short passwords. Adversaries can quickly deduce the original passwords using rainbow hash tables, compromising user passwords if the server's password file or data store is compromised.