Wednesday, August 6, 2014

Authentication and Authorization Security Controls – Code Analysis

Authentication

Applications are running on the server and usually serving browsers. Application authentication is form based and done over HTTP. There are several layers involved in the authentication process and each layer should have their own security protections. There are several different authentication mechanism available on application like NTLM, Basic, Digest, HTML Form based, LDAP, Certificate based etc. Authentication is has two aspects in web based application one is authenticating user and second is making a tunnel or channel for authenticated user since HTTP itself is stateless protocol. Various different authentication controls help in protecting application and if any of the control is missing or poorly written then it opens up severe vulnerability in application. Here is a list of possible issues or vulnerabilities
1.) Authentication disclosing sensitive information
2.) Not having auditing on the authentication
3.) No user lockdown policy in place
4.) Authentication bypass (SQL / LDAP interface)
5.) Password strength is poor
6.) No deployment of CAPTCHA or similar identification product
7.) Credential are not securely transmitted
8.) Credential are stored on client side which can be retrieved
9.) Authentication token or cookies are not well crafted
10.) Single Sign On (SSO) can be abused
11.) Deliberated backdoors are created
12.) Hidden fields and information exposure
Authentication controls are part of application code and it is imperative to analyze full mechanism in detail. This layer of code can help in identifying possible loopholes. Authentication is very critical for sensitive and transaction based sites like banking, trading or mailing system. An attacker can bypass authentication and can take hold of full session, it gets opportunity to advance hacking from there. Over years we have seen popular attack vectors as below
1.) Brutefocing
2.) Cookie theft and replay
3.) Authentication injections with SQL/LDAP
4.) Network eavesdropping and malicious codes
5.) Dictionary attacks
6.) Exploiting backdoors
7.) Hidden data manipulation
8.) Local store and information theft
Above attack vectors can help in exploiting the application and these attacks are easy to carry out using different frameworks. Source code can be written in the most secure fashion to protect against above attacks.

Authorization

Once user gets authenticated next thing is to maintain authorization through out the application. Authorization on the application get maintained using proper access control lists (ACLs). Application runs on HTTP and being a stateless protocol, session tokens are required to maintain authorization. There are several issues which can make entire application weak with authorization perspective and that can lead to exploitable security vulnerability. Here is possible weak area in the application for authorization,
1.) Session tokens are insecure
2.) Weak authorization mechanism
3.) Client side tampering and manipulation possible
4.) Possible data and SQL injections
5.) Access to system level bypass
6.) Single place authorization bypass
7.) URL forcing and manipulation
8.) Guessable resources and access
9.) Role-based bypass exploitation and weakness
Above weakness opens up several different set of vulnerabilities. These vulnerabilities can give access to various resources and opens up larger attack surface. Attacker or hacker can launch various attacks and exploits against target application. Here are list of popular attack vectors,
1.) Elevation of privilege
2.) Confidential data leakage
3.) Data tampering
4.) Session hijacking
5.) Session token exploitation
6.) Authorization injections
7.) URL bruteforcing
8.) Clients side reverse engineering and exploits
Above attacks are very popular against applications with respect to authorization. One needs to analyze logic in detail to detect authorization based vulnerabilities.