January 9, 2023
In this blog, we will explore the issue of API2:2019 Broken User Authentication and how it can lead to serious security vulnerabilities in web applications.
But before we dive into broken user authentication, let’s first understand what authentication is. Authentication is like a bouncer at a fancy nightclub. Just like the bouncer checks IDs to make sure only authorized guests are allowed into the club, authentication checks to make sure only authorized users are allowed access to a web application. Imagine you're trying to log into your online shopping account. The application asks for your username and password, kind of like the bouncer asking for your ID. If the information you provide matches what the application has on file, you're granted access, just like the bouncer letting you into the club.
Now imagine, you're trying to log into the same online shopping account, but no matter what you do, you just can't get in. You've tried every password you can think of, but the site keeps telling you that you're entering the wrong information. Frustrated, you decide to reset your password. But when you go to do that, you realize that the site's password reset feature isn't working either. At this point, you might start to panic. What has happened? The site's user authentication system has been compromised. Someone may have gained unauthorized access to the system and changed your password, rendering it useless. This type of security vulnerability is known as broken user authentication, or BUA.
BUA is a major issue for web applications, as it allows attackers to potentially gain access to sensitive information or even take over entire accounts. It can happen for a variety of reasons, such as using weak passwords or failing to properly manage passwords or the lack of proper security measures such as two-factor authentication and the CAPTCHA mechanism.
One of the primary ways that attackers exploit broken user authentication is through brute-force attacks. In a brute-force attack, the attacker will use automated tools or scripts to try many different passwords or OTPs in rapid succession to bypass authentication and gain access to the system.
In this scenario, an attacker is attempting to take control of a victim's account by initiating the password recovery process. They do this by making a POST request to the password-reset endpoint: POST /identify/api/auth/password-reset HTTP 1.1
This triggers the application to send a four-digit OTP code to the victim's email. The attacker then tries to reset the victim's password by redirecting to the verification endpoint and providing the correct OTP.
Verification endpoint: POST /identify/api/auth/v3/check-otp HTTP 1.1
The check-otp endpoint doesn’t have a rate limit protection. Hence, to guess a correct OTP, the attacker can perform a brute-force attack to test all possible combinations for a four-digit OTP by using tools like – Intruder(Burp suite) or any automated script.
Another common tactic used by attackers is known as Credential Stuffing. In this attack, the attacker will use specialized tools to guess the user's password based on common patterns and known information about the user. This can include personal information such as the user's name, birthdate, or other common words or phrases.
For example : Imagine you're an online shopper, looking for the best deals on the latest gadgets. You've been careful to use unique, strong passwords for all of your accounts, so you feel confident that your personal information is safe. But little do you know, your password has already been compromised. A hacker has obtained a list of username and password combinations from a data breach and is now using a credential-stuffing tool to try those combinations on various websites and online services. Suddenly, you start getting notifications from your bank and credit card company about suspicious activity on your accounts. You quickly realize that the hacker has found a match and is now using your account to make purchases and drain your funds.
Broken user authentication can have serious consequences for both individuals and organizations. Some potential impacts include:
There are several steps that individuals and organizations can take to prevent broken user authentication:
By implementing these measures, individuals and organizations can significantly reduce the risk of broken user authentication vulnerabilities and protect against the negative consequences of successful attacks. We will share some ways to test for broken user authentication in our upcoming blogs. Stay tuned!