Missing/Incorrect Authentication

Authentication is the mechanism by which your clients can establish their identity with your service, using a set of credentials that prove that identity. A username is an example of an identity, while a password is an example of a credential.
Insufficient Authentication occurs when an application permits an attacker to access sensitive content or functionality without having to properly authenticate.

Some threats and attacks that are related to authentication process:

  • Network eavesdropping. An attacker steals identity and/or credentials off the network by reading network traffic not intended for them.
  • Brute force attacks. An attacker guesses identity and/or credentials through the use of brute force.
  • Dictionary attacks. An attacker guesses identity and/or credentials through the use of common terms in a dictionary designed for that purpose.
  • Cookie replay attacks. An attacker gains access to an authenticated session through the reuse of a stolen cookie containing session information.
  • Credential theft. An attacker gains access to credentials through data theft; for instance, phishing or social engineering.

Some vulnerabilities related to authentication:

  • Using weak passwords.
  • Storing clear text credentials in configuration files.
  • Passing clear text credentials over the network.
  • Permitting prolonged session lifetime.
  • Mixing personalization with authentication.
  • Using weak authentication mechanisms (e.g., using Basic authentication over an untrusted network).

 

Mitigation

Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability.

Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port.

In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate credential management need to be used throughout.

Use strong password policies. Most important rule to avoid weak passwords in organizations is implementing password policies and strictly following them without exceptions.

Password polices include:

  • Minimum length of password characters – at least 6
  • Password must include special character, lower and upped cases, numbers
  • Number of wrong attempts after which the account is locked for a reasonable time
  • Changing passwords over defined time
  • History of used passwords
  • Using strong encrypting algorithms

Some other techniques include:

  • Do not store credentials in an insecure manner.
  • Use authentication mechanisms that do not require clear text credentials to be passed over the network.
  • Encrypt communication channels to secure authentication tokens.
  • Use Secure HTTP (HTTPS) only with Forms authentication cookies.
  • Use cryptographic random number generators to generate session IDs.

Most common way to ensure good authentication is to use centralized identity and credential management – directory service. A directory service is the software system that stores, organizes and provides access to information in a directory. Example of directory service is Microsoft Active Directory.