When a developer writes their own authentication and
session management system, there are a number of things that could go wrong. A
flawed login mechanism or a week password management scheme could be exploited
by hackers. Session management and time outs, password reset, remember me check-box,
secret questions or account update features like changing username could be some
point/features where things could go wrong. Bug or gaps in one of these
components could range in impact, from assisting in a social engineering attack
to a full compromise of user accounts.
Some factors:
1. Session
Id and predictably
2. Server
Side Credentials be overwritten through weak account management function.
3. Session
ID exposed to URL.
4. Session
timeout, Manual Expire
a.
Logout
b.
Can a user manually expire all other session from
other devices and kick out attackers who may be logged in.
Examples of a flawed Login logic:
boolean isLoginSucess= true;
try{
isLoginSucess= validateLogin(user,passWord);}
catch(Exception e){
//some logger used here
}
if(!loginSucess){
redirect to loginpage;
}else{//do something after loginsucessfull.
} Such a code where the default logging is true is a risk. (I actually found this code in a college project submitted by an engineering graduate).
As you may have guessed an exception in validateLogin() will
result in successful authentication.
Other attacks:
When a password requirement
scheme is not strong, i.e. simple dictionary password is used, the application
is in risk of brute force attack, where the attacker tries to get into all
words in a dictionary.
Session Fixation:
Using tools like Brup proxy,
cookies and requested parameter can be spoofed.
No comments:
Post a Comment