M5: Weak Authorization and Authentication
Learn about the severe security risks and business impacts of weak authorization and authentication in web applications. Explore preventive measures and example attack scenarios.
Overview
This article delves into the risks linked with weak authorization and authentication in web applications. It sheds light on common vulnerabilities and their repercussions on security and business. The article also offers preventive measures and example attack scenarios.
Description
Weak authorization and authentication in web applications can expose severe security risks and have significant business impacts. This vulnerability enables threat agents to exploit authentication vulnerabilities, bypass authentication, and gain unauthorized access to sensitive functionality. The technical impact includes the inability to identify the user performing an action request, leading to a failure in logging and auditing user activity. Additionally, weak authorization can result in over-privileged execution of functionality, potentially causing system destruction or access to sensitive information. The business impacts of weak authentication encompass reputational damage, fraud, and information theft. To prevent weak authorization and authentication, developers should reinforce authentication controls on the server-side and implement integrity checks within the mobile app's code. Furthermore, developers should avoid local data storage and ensure that all authentication requests are performed server-side. It is crucial to use device-specific authentication tokens and refrain from using spoofable values for authentication. Persistent authentication should be implemented as opt-in, and 4-digit PIN numbers should not be used for authentication passwords.
How to Prevent ?
To avert weak authorization and authentication, developers should strengthen authentication controls on the server-side and integrate integrity checks within the mobile app's code. Furthermore, developers should refrain from local data storage and ensure that all authentication requests are carried out server-side. It is crucial to utilize device-specific authentication tokens and avoid using spoofable values for authentication. Persistent authentication should be implemented as an opt-in feature, and 4-digit PIN numbers should not be used for authentication passwords.
Example Attack Scenarios:
Unauthorized Functionality Execution: Developers assume that only authenticated users can generate a service request that the mobile app submits to its backend for processing. However, the server code fails to verify the incoming request's association with a known user, enabling adversaries to anonymously execute functionality affecting legitimate users of the solution.
Remote Administrative Functionality: Developers assume that only authorized users can access certain functions on their mobile app. However, the backend code neglects to verify the identity associated with the request, allowing adversaries to perform remote administrative functionality using low-privilege user accounts.
Password Deduction: Due to usability requirements, mobile apps allow short passwords. Adversaries can swiftly deduce original passwords using rainbow hash tables, compromising user passwords if the server's password file or data store is compromised.