Welcome back to our ten-part blog series on the OWASP Top Ten list of 2021, where we are taking a light look at the common threats in the digital space that organisations face.
In today’s seventh instalment, the focus is on Identification and Authentication Failures.
Understanding Identification and Authentication Failures
This issue previously occupied second place in the OWASP Top Ten List 2017 and was known as Broken Authentication. Typically, the problem arises when the processes for verifying and validating users are poorly implemented or flawed. These vulnerabilities can allow attackers to masquerade as legitimate users, gaining unauthorised access to sensitive data and systems.
To draw a parallel, imagine that you run a nightclub and employ bouncers on the doors. You have to trust the bouncers to be able to verify the legitimacy of guests that are queueing for entry. However, if some of those guests are queueing with fake IDs and are allowed entry, all of a sudden there has been a failure of the security controls placed on entering the club itself. In the digital space, identification and authentication act as these bouncers, determining who is allowed access and who is not. When the processes are flawed or implemented incorrectly, it opens the door for intruders to gain access whilst masquerading as legitimate users.
Common Risks Associated with Identification and Authentication Failures
- Weak or Stolen Credentials:
Simple or commonly used passwords such as “Password123” or “admin” are easily guessed or cracked, making accounts vulnerable to attack.
- Session Hijacking:
This involves attackers taking over a user’s session, often exploiting poorly managed session tokens. When carried out successfully, an attacker is able to carry out actions whilst masquerading as the legitimate user.
- Inadequate Password Recovery Mechanisms:
Flaws in password recovery processes can become easy targets for attackers. This includes using a “knowledge-based answers” system, which is inherently flawed in its implementation.
- Credential Stuffing:
Attackers can leverage a stolen or leaked credential database in their attacks on a system. If a user is included in the database and uses their password in more than one location, they could fall victim to this attack.
Strategies to Mitigate Identification and Authentication Failures
- Implement Multi-factor Authentication (MFA):
Adding layers of authentication beyond just passwords significantly enhances security. There are some concerns that SMS based MFA is not as secure as it’s counterparts, so consider the use of email-based one-time passcodes (OTPs).
- Enforce Robust Password Policies:
Mandate strong, complex passwords and encourage regular updates. This includes a minimum length of 10-12 characters as well as a mixture of upper/lowercase characters and numbers. Discourage the use of default or easily guessable passwords.
- Secure Session Management:
Ensure secure, unique session tokens and implement timeouts. By implementing a timeout period, it will invalidate session tokens after logout or unacceptable periods of inactivity.
- Conduct Regular Security Assessments:
Regularly test for vulnerabilities using both automated tools and manual penetration testing. This should include putting your own systems through the ringer and checking that they hold up to an attack. It is better to catch it and patch it than fall victim to an attack!
- Prevent Credential Stuffing:
Use strategies such as rate limiting (with an increasing delay), CAPTCHA, and monitoring for repeated login failures. Similarly, ensure that generic error messages are used such as “invalid username/password” instead of “invalid password”. This stops attackers from learning that at least one part of the credential was accepted.
- User Education and Awareness:
Inform your users about the importance of strong, unique passwords and the dangers of password reuse. This should include educating users on the dangers of only modifying small parts of their original password.
- Continuous Monitoring and Anomaly Detection:
Implement tools to monitor and alert on unusual authentication activities, which could indicate a breach attempt.
The integrity of user identification and authentication systems is so important when ensuring that web applications are secure. By addressing these common pitfalls and adopting strong security measures, an organisation can significantly bolster their cyber defence against unauthorised access. As always, cybersecurity is a continuous journey working towards a safer digital environment, not just a one-time effort.
When conducting penetration tests against a client’s web application, the team at CyberWhite follow the OWASP framework closely. This allows us to check applications against the OWASP Top Ten list, including Identification and Authentication Failures as explored in this blog post.