OWASP Top 10 part 7: Identification and Authentication Failures

21 October 2024 3 minutes Author: Lady Liberty

Identification and authentication errors are problems in the user’s identity verification processes that can allow unauthorized access.

1. Weak passwords and their storage

  • Description: Using weak or predictable passwords and storing them insecurely.

  • Example: Passwords without sufficient complexity or storing passwords in plain text format.

2. Insecure authentication

  • Description: Insufficient verification of user identity.

  • Example: Lack of two-factor authentication or use of unreliable authentication mechanisms.

3. Vulnerabilities in the login process

  • Description: Issues that allow attackers to bypass or compromise login mechanisms.

  • Example: Attacks on the login process, such as brute-forcing or attacks on password reset mechanisms.

Weak Passwords

Blue team

Set the minimum password length to 8 characters or more. Be sure to check passwords for weak combinations using lists of common weak passwords such as SecLists. To improve security, instead of the standard requirements (uppercase and lowercase letters, numbers or special characters), you should increase the minimum length to 12 characters without limiting the composition. The system checks weak passwords against lists of common untrustworthy combinations.

Red team

Use modern brute-force tools that can perform simple password transformations, such as replacing letters with similar numbers or special characters (P@ssword1). Use lists of weak combinations from SecLists to select passwords. Tools such as Hydra or John the Ripper allow you to automate the process of selecting passwords from these lists, which significantly speeds up the attack.

Brute-force protection

Blue team

  • Specialized solutions: Use protection services against DDoS and brute-force attacks, such as Cloudflare, to protect against excessive requests to the system.

  • Request Limiters: Implement request limiters using frameworks such as Symfony, Laravel, or Yii2. This will limit the number of login attempts in a short period of time.

  • Captcha or secret question: After several failed login attempts, require the user to complete a captcha or answer a secret question. It is important that the question is not easy to guess.

  • Random Delay: Add a random delay (1-2 seconds) after a failed login attempt. This will greatly complicate a brute force attack without causing discomfort to legitimate users.

Red team

Use tools like Hydra, Burp Suite Intruder, or OWASP ZAP to perform automated attacks on login pages. Check how efficiently the request limits are working and whether it is possible to bypass them by using different IP addresses or proxy servers.

Explore the options for automating the passage of captchas or involving external services to solve them, which can significantly simplify an attack on protected systems.

Brute-force Fun

Blue team

The ffuf.md documentation provides several examples of traversing paths and parameters using the ffuf tool that illustrate how an attacker can perform a brute force attack on a web application.

To protect against such attacks, use request limits, captchas, blocking access by IP addresses, and random delays between requests. This will help effectively prevent brute force attacks on your web application.

Red team

Using ffuf: A well-known tool for carrying out brute force attacks:

  •  ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ

Looping through possible URLs or parameters to reveal hidden paths or vulnerabilities on the server. Using ffuf to attack various URLs and check if the protection is a captcha:

  • ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -H “User-Agent: ffuf-agent”

Other related articles
OWASP Top 10
Read more
OWASP Top 10 part 1: Broken Access Control
Broken Access Control is one of the most dangerous vulnerabilities in the OWASP Top 10 list, which allows attackers to bypass access control mechanisms, gain access to sensitive data, and perform unauthorized operations.
108
Found an error?
If you find an error, take a screenshot and send it to the bot.