Open in app

Sign in

Write

Sign in

Authentication Vulnerabilities

Jasjit Dhanoa
4 min readJul 30, 2022

Authentication vulnerabilities are some of the simplest issues to understand. However, they can be among the most critical due to the obvious relationship between authentication and security.

Allowing attackers direct access to sensitive data and functionality, they also expose additional attack surfaces for further exploits.

So how you can ensure that your own authentication mechanisms are as robust as possible?

Before that first lets know more about authentication.

➡️What is Authentication?🥱

Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure that they really are who they claim to be.

Websites are exposed to anyone who is connected to the internet by design. Therefore, “robust authentication” mechanisms are an integral aspect of effective web security.🎯

🤓Factors into which different types of authentication can be categorized:

  • Something you know, such as a password or the answer to a security question. These are sometimes referred to as “knowledge factors”.
  • Something you have, that is, a physical object like a mobile phone or security token. These are sometimes referred to as “possession factors”.
  • Something you are or do, for example, your biometrics or patterns of behavior. These are sometimes referred to as “inherence factors”.

👉Authentication mechanisms rely on a range of technologies to verify one or more of these factors.👈

Beginners often confuse authentication with authorization🤷‍♂️

So first let's know what the basic technicality is.⤵️

➡️Difference between authentication and authorization?

Authentication is the process of verifying that a user really is who they claim to be.

In the context of a website or web application, authentication determines whether someone attempting to access the site with the username really is the same person who created the account.

&

authorization involves verifying whether a user is allowed to do something.

Once the username is authenticated, his permissions determine whether or not he is authorized

➡️Reason behind authentication vulnerabilities cause?

most vulnerabilities” in authentication mechanisms arise in one of two ways:

  • The authentication mechanisms are weak because they fail to adequately protect against brute-force attacks.
  • Logic flaws or poor coding in the implementation allow the authentication mechanisms to be bypassed entirely by an attacker. This is sometimes referred to as “broken authentication”.

➡️Impact of vulnerable authentication?🦩

Once an attacker has either bypassed authentication or has brute-forced their way into another user’s account

YES! the impact of authentication vulnerabilities can be very severe. They have access to all the data and functionality that the compromised account has.

Even if the account does not have access to any sensitive data, it might still allow the attacker to access additional pages, which provide a further attack surface.

For example,

  • A compromised high-privileged account, such as a system administrator, they could take full control over the entire application and potentially gain access to internal infrastructure.
  • Even a compromised low-privileged account might still grant an attacker access to data that they otherwise shouldn’t have, such as commercially sensitive business information.

➡️Preventive Measures

There are several general principles that you should follow.

  • Take care of user credential

-Audit your website to make sure that no username or email addresses are disclosed either through publicly accessible profiles or reflected in HTTP responses

-You may have implemented HTTPS for your login requests, make sure that you enforce this by redirecting any attempted HTTP requests to HTTPS as well.

  • Don't count on users for security

-Implement an effective password policy.

-implement a simple password checker which only allows passwords that are rated highly by the password checker, you can enforce the use of secure passwords more effectively than you can with traditional policies.

  • Implement robust brute force protection

-Implement strict IP-based user rate limiting.

- a CAPTCHA test with every login attempt after a certain limit is reached. Making the process as tedious and manual as possible increases the likelihood that any would-be attacker gives up and goes in search of a softer target instead.

--

--

Jasjit Dhanoa

Written by Jasjit Dhanoa

9 Followers

Penetration Tester | Cyber Security Enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams