Authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.
HTTP can embed several different types of authentication protocols. These include:
- Basic – Cleartext username/password, Base-64 encode (trivially decoded)
- Digest – Like Basic, but passwords are scrambled
- Form-based – A custom form is used to input username/password (or other credentials) and is processed using custom logic on the backend.
- NTLM – Microsoft’s proprietary authentication protocol, implemented within HTTP request/response headers.
- Negotiate – A new protocol from Microsoft that allows any type of authentication specified above to be dynamically agreed upon by the client and server. Also adds Kerberos for clients using Microsoft’s IE v5+.
- Client-side Certificates – Although rarely used, SSL/TLS provides an option that checks the authenticity of a digital certificate present by the Web client, essentially making it an authentication token.
- Microsoft Passport – A single-sign-in (SSI) service run by Microsoft Corporation that allows web sites (called “Passport Partners”) to authenticate users based on their membership in the Passport service. The mechanism uses a key shared between Microsoft and the Partner site to create a cookie that uniquely identifies the user.
These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded right in the request/response traffic.
This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).
What an Attacker can do if Your Site is Vulnerable
When the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
This means that if the attacker manages to enter as a normal user, he might have limited access to only view some important information. On the other hand, if he manages to enter as an administrative user with global access on the system, he would have almost total control on the application together with its content (with the limitations of the web application in itself).
The attacker’s tools
Generally an attacker first tries to gain access to the prompt/login screen where the application would request a login and password. The next step would be to enter a correct match of login and password that the application would recognise as correct and which has high privileges in the system.
Although not the best of attacks, password guessing can be one of the most effective techniques to defeat web authentication. This technique can be carried out either manually or via automated procedures.
Here are some common Username/Passwords used by attackers in authentication guessing attacks:
Username Guesses | Password Guesses |
---|---|
[NULL] | [NULL] |
root, administrator, admin | [NULL], root, administrator, admin, password, [company_name] |
operator, webmaster, backup | [NULL], operator, webmaster, backup |
guest, demo, test, trial | [NULL], guest, demo, test, trial |
member, private | member, private |
[company_name] | NULL], [company_name], password |
[known_username] | [NULL], [known_username] |
If password guessing achieves no result, the next step for an attacker is to try other password combinations using special custom tools, like WebCracker and Brutus, which are readily available on the internet.
These custom tools attempt to authenticate into the system using predefined lists of usernames and passwords, dictionary attacks and brute-force attacks. A dictionary attack uses pre-computed wordlists like dictionaries to try to authenticate on the web applications by trying thousands of combinations of these dictionary words as usernames and passwords.
A brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message.
How to test any pages that require authentication
To test the strength of your authentication mechanisms, use an authentication tester. Acunetix Web Vulnerability Scanner includes an authentication tester, and you will be able to configure it to automatically test all your pages that require authentication.
Preventing Authentication Hacking attacks
To verify whether an attack phase has succeeded or not, automated tools assess the returned error codes and page information from the host web server. A secure practice is to force any error or unexpected request to generate a HTTP 200 OK response, instead of the numerous 400 type errors. This will make it more difficult for the attacker to distinguish between valid and invalid login attempts.
An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser. The client must be capable of successfully submitting this random content as part of the authentication process to proceed further in the web site or application. The best way to do this is to present the random phrase in a graphic GIF, JPG or PNG format using random fonts or colours each time. This can make it almost impossible for an automated process to succeed. See screenshot below for an illustration.
Check if your website is vulnerable to attack with Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting, Authentication Hacking and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Download the evaluation version today!
Acunetix Web Vulnerability Scanner
Learn more about Acunetix Web Vulnerability Scanner and how the solution works with AJAX applications.Download or Register for a Free Trial of Acunetix.