Deploy Containers Close to Your Users

This Engineering Education (EngEd) Program is supported by Section.

Instantly deploy containers globally. Section is affordable, simple and powerful.

Get Started for Free.

Testing For Broken Authentication in Web Applications

February 22, 2022

Authentication is a mechanism put in place to determine if a user is who they say they are, either through a password-based system or any other form of authentication system.

In this article, we’ll be going through how to test for broken authentication, their impact, and how to mitigate them.

Pre-requisites

To follow along, you are required to have some basic knowledge of the Burp Suite.

Table of contents

What is broken authentication?

Broken Authentication is a type of vulnerability that allows attackers to get into a web application without proper credentials.

This could be carried out either by bypassing the authentication mechanism put in place or by brute-forcing another user’s account.

If the attacker successfully bypasses or brute-forces his way into another user’s account, they gain access to all the data and privileges of that user account.

According to the OWASP Top 10 2021 report, broken authentication is ranked number 7 and is grouped under Identification and Authentication Failures.

This category slipped down from second place and now contains Common Weakness Enumerations (CWEs) relating to identification issues. It was previously known as broken authentication.

The severity of this vulnerability can be so high. Say, an attacker was able to brute-force his way into the administrator account of a web application, this means he gets full control over the web application.

This article seeks to demonstrate how an attacker tests for broken authentication in a web application and how to prevent them.

Disclaimer: This article is for educational purposes only.

Testing for broken authentication

To carry out this attack, we will make use of an intentionally vulnerable web application called Juice shop.

Installation

Let’s set up juice shop.

Note: this installation process is for Kali Linux.

We’ll be installing OWASP juice shop using Docker. You can find other ways to set it up here.

To begin, we need to install docker by running the following commands:

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' > /etc/apt/sources.list.d/docker.list
apt update
apt install docker-ce

Install juice shop:

docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop

All we need to do now is to browse to http://localhost:3000 in a browser.

index page

After starting up the web application, we’ll proceed to the login page for testing.

login page

We can go ahead to create an account or log in with the admin credentials, which are:

  • Email: admin@juice-sh.op
  • Password: admin123

Now, let’s check how the application reacts if we provide incorrect login credentials:

login error

From the above screenshot, an error message is displayed.

Some applications simply come out to tell you the particular field that contains the wrong credentials - something like an incorrect password where the username provided is correct, or an invalid username where the password is correct but doesn’t match the username provided.

This is a poor practice because it allows user enumeration.

User enumeration

Username enumeration is a type of application vulnerability that happens when an attacker can identify whether or not usernames are genuine.

This problem is most typically seen on login forms, where an error message such as “the username is invalid” is displayed.

You can learn more about username enumeration here.

Next, we click on the Forgot Password? option:

password reset

Again, we provided an incorrect email and noticed that we were unable to click or fill out other parts of the form.

Interesting!

What if we provided an email address we think is valid, will we be able to complete the form?

password reset

After providing a valid email address, the form allows us to click and fill in other fields. Again, this allows for user enumeration.

Now that the application just confirmed the validity of the email address we provided, the next field is to fill the security question Mother's maiden name?.

With the use of open-source Intelligence, an attacker can easily figure out the answer to this question. In some cases, it just might be the user’s last name. Then, the attacker moves on to change the password of that user.

This is just one scenario that shows the impact of broken authentication on a login form. Another scenario is weak passwords and default credentials.

Weak password policies

Some web applications still allow the use of weak and well-known or default credentials such as admin: admin and password1234. Applications that do not enforce a strong password policy are highly susceptible to this attack.

To demonstrate this, we’ll try to login into the admin account and intercept the request using the burp suite.

Burp Suite is a proxy tool that allows us to intercept, analyze, and modify requests that come from our browsers before they are sent to the remote server.

You can read more on it here.

Here, the burp suite allows us to intercept and modify the login request before it is sent to the server.

burp suite

We’ll try login in first with the admin email and a random password. We get an error message indicating incorrect credentials.

admin

Now, we’ll try to break into the application.

Firstly we’ll intercept the login request in the burp suite, next, we’ll click on the HTTP history tab next to the Intercept tab. Now we’ll find the POST /login request, right-click on it and select Send to intruder.

http history

Now, in the intruder tab, we’ll click on the Positions tab that displays the intercepted request.

intruder

We’ll leave the Attack type option as Sniper. From the screenshot above, the email and password values are highlighted in green. Clicking on the Clear button helps remove that.

Next, we’ll highlight the password parameter, this allows me to substitute the password value with a list of passwords.

To do that, we’ll click on the Add button, click on the Payloads tab, and under the Payload Options [Simple List] we are required to paste a list of passwords that serves as payloads.

What we are doing here is simulating different login processes with the admin email and several passwords, till we get the correct password.

We’ll be using the Seclist worst passwords of 2017 as our password list.

Now, we’ll copy and click on paste in the payload options section:

payload

After pasting the list of passwords, next is to click on Start Attack to begin the attack process:

attack

As soon as the attack process is finished, we scrolled through the result and found a request with a status code of 200 with a payload of admin123.

correct password

What the attack simply did was to send different login requests with each of the passwords in our list.

Now, let’s try to log in with the newly discovered password.

logged in

It works!

Impact of broken authentication

  • Compromising an account allows the attacker access to unauthorized information.
  • It could lead to full application takeover.
  • Loss of sensitive and confidential business information.

Prevention of broken authentication

Conclusion

To summarize, we have gone through how to set up an OWASP Juice shop. We have also earned how to test for broken authentication in web applications, the impact and prevention of broken authentication applications.

Broken authentication is a vulnerability that must be prevented by all means. Ensuring you have a proper and secured authentication mechanism is very important.

Further reading


Peer Review Contributions by: Srishilesh P S