M3: Insecure Authentication/Authorization | OWASP Foundation

Overview

This is a page about insecure authentication and authorization on mobile apps. It discusses the threat agents, attack vectors, security weaknesses, technical impacts, and business impacts of these vulnerabilities. It also provides instructions on how to prevent insecure authentication/authorization and gives example attack scenarios. The page is from the OWASP Foundation, an organization dedicated to improving software security.

Description

This page provides information on insecure authentication and authorization in mobile apps. It explains the potential threats and vulnerabilities, as well as the impact on technical and business aspects. The page also offers preventive measures and example attack scenarios. It is from the OWASP Foundation, a reputable organization focused on software security.

How to Prevent ?

To prevent insecure authentication and authorization, it is important to avoid weak patterns and reinforce secure measures. Developers should ensure that the authentication requirements of mobile applications match those of the web applications. Local user authentication should be avoided to prevent client-side bypass vulnerabilities. All authentication requests should be performed server-side, and client-side data storage should be encrypted. The 'Remember Me' functionality should never store a user's password on the device. Backend systems should independently verify the roles and permissions of authenticated users, and local integrity checks should be implemented to detect unauthorized code changes. FaceID and TouchID can be used to enhance authentication security.

Example Attack Scenarios:

• Hidden Service Requests:  Developers assume that only authenticated users can generate a service request, but the server code does not verify the user's identity. Adversaries can anonymously execute functionality that affects legitimate users.

• Interface Reliance:  Developers assume that only authorized users can see a particular function, but the back-end code does not verify the user's entitlement to execute the service. Adversaries can perform remote administrative functionality using low-privilege user accounts.

• Usability Requirements:  Mobile apps allow for short passwords due to usability requirements. Adversaries can quickly deduce passwords using rainbow hash tables if the server's password file is compromised.

• Insecure Direct Object Reference:  The backend fails to validate the actor ID associated with an OAuth bearer token, allowing users to tweak the actor ID and access the account information of other users.

• Transmission of LDAP Roles:  The backend relies on the incoming LDAP information from the user without performing independent validation. Users can manipulate the LDAP group membership and perform administrative functionality.