Introduction- Authentication bypass vulnerability could allow attackers to perform various malicious operations by bypassing the device authentication mechanism.
Authentication bypass exploit is mainly due to a weak authentication mechanism.
Organizations failing to enforce strong access policy and authentication controls could allow an attacker to bypass authentication.
Passwords and other authentication methods may not be protecting your data. A good security system evaluates every access request and, based on the user ID and access policy, either grants or denies access. An attack known as authentication bypass allows hackers to avoid such authenticity checks or, in some cases, the entire security subsystem. Most attacks occur on Web sites and can happen due to errors in the design or implementation of a system. There are many forms of authentication bypass attacks but almost all are avoidable.
The ‘root’ cause : Systems vulnerable to authentication bypass usually exhibit one of two problems: a failure to enumerate and enforce the access policy or a weak authentication system that allows a valid identity to be forged. In the former, either the Web access control system does not have the full set of URIs that enumerate the application or Web site under attack, or the access control system does not extend to the section of the site that needs protection.
Direct attacks : Another flavor of authentication bypass involves direct attacks on the authentication and authorization systems. Many Web sites use scripts and back-end databases to make authentication and authorization decisions. Unfortunately, the design and implementation of these systems is faulty. Some Web form-based systems do the credential checking in the client side Web browser scripts or through parameters posted through the Web browser. An attack against these systems usually involves manipulation of values contained in the Web forms or in the parameters posted to the server. Some attacks are as simple as posting basic true or false values to the Web server.
Feeding forays : More sophisticated attacks involve the direct feeding of SQL and other commands to the Web server software or database. Thus, an attacker tries to access a valid user session. After successfully authenticating a user, many Web-based applications give the user a cookie or token to present to the application for every access attempt. The token is often associated with a server side session ID or, in some cases, the cookie is the session ID. The applications do simple logic operations to determine if the session ID or token is valid, or in the list of known sessions.
This can be prevented with strongly encrypted cookies or random session IDs, which make forging much more difficult. Also, validating all user input on the server side can prevent hostile attempts at accessing a session from succeeding.
Impersonation infiltration: More advanced attacks aim to bypass authentication systems by stealing either valid session IDs or cookies. An attacker tries to replay these cookies or session IDs to impersonate a valid user. Many mistakenly consider these attacks man-in-the-middle or session hijacking attacks. However, replaying a cookie or session ID is an authentication bypass attack because it bypasses the subsystems that mediate access to the application, making direct application access possible. To avert this attack, send all session and cookie data over an encrypted channel.
Causes of Authentication Bypass Vulnerability:
Authentication Bypass is a result of improper or no authentication mechanism implemented for application resources. Unauthenticated access to dynamic content could result from improper access control and session management or improper input validation (SQL Injection).
Remediation Measures:-
- Authenticate each application resource.
- Manage session cookies appropriately.
- Take extra care while validating authentication parameters to prevent SQL injection attacks. Use parameterized SQL queries or DB stored procedures for database calls.
Risk Assessment :-
Likelihood : Likelihood of authentication bypass exploit using forceful browsing technique or URL parameter tampering is ‘High’ as any normal internet user could launch this attack.
Authentication Bypass using ‘POST’ parameter or session cookies tampering or SQL injection may require tools like web proxy and little knowledge on hacking techniques. Hence, Likelihood of vulnerability in this case may be rated as ‘Medium/High’.
Impact : If an attacker could obtain sensitive personal data of a user, then impact of the vulnerability could be rated as ‘High’.
If an attacker could gain access only to static pages, then impact of the vulnerability could be rated as ‘Medium’.
Risk : Overall risk of the vulnerability is ‘Critical/High’.
Note: Overall risk rating of a vulnerability also depends on the sensitive data dealt by the application.
Tips to protect your website from hackers :-
Keep software up to date
It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.
If you are using a managed hosting solution then you don’t need to worry so much about applying security updates for the operating system as the hosting company should take care of this.
Watch out for SQL injection :-
SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries, most web languages have this feature and it is easy to implement.
Protect against XSS attacks :-
Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, and can change page content, or steal information to send back to the attacker. For example, if you show comments on a page without validation, then an attacker might submit comments containing script tags and JavaScript, which could run in every other user’s browser and steal their login cookie, allowing the attack to take control of the account of every user who viewed the comment. You need to ensure that users cannot inject active JavaScript content into your pages.
Beware of error messages :-
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Don’t provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need.
Validate on both sides :-
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.
Check your passwords :-
Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run.
Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm such as SHA. Using this method means when you are authenticating users you are only ever comparing encrypted values. For extra website security it is a good idea to salt the passwords, using a new salt per password.
Avoid file uploads :-
Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded, however innocent it may look, could contain a script that when executed on your server, completely opens up your website.
If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most images formats allow storing a comment section that could contain PHP code that could be executed by the server.
Use HTTPS :-
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect, and that nobody else can intercept or change the content they’re seeing in transit.
If you have anything that your users might want private, it’s highly advisable to use only HTTPS to deliver it. That of course means credit card and login pages (and the URLs they submit to) but typically far more of your site too. A login form will often set a cookie for example, which is sent with every other request to your site that a logged-in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.
Get website security tools:-
Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.
There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL Injection.
You can stop a hacker by being vigilant and taking a proactive approach to security. It is important to realize that protecting your website from hackers and malicious attacks is an ongoing process. There are steps you can take once, but mostly you need to be aware of the changes in the threat landscape.
Furthermore, there is no one-stop, definitive article that can help you stop all possible hacks against your website. Any article or website or expert that claims to do so is not being truthful.
So, while we can’t really promise that this article will keep your website safe and secure forever, we have given you some general security tips that will make your website pretty difficult to hack. Using the tips in this article, you will be able to patch several flaws in your website security.
Dr. Abid Hussain, Associate Professor, School of Computer Applications, Career Point University, Kota
