Why User’s Access is Prone to Attack?
An application’s mechanism for handling user access only as strong as the weakest of these components.
Have you ever wondered about the above statement and why user access is considered the weakest component, well if you haven’t wondered about this then there is no problem but you must be aware of some important concepts of user access?
The defense mechanism employed by web applications consists of the following points :
- Handling users’ access to the data and functionality of the Application and preventing them from getting unauthorized access.
- Handling users’ input in such a way that it doesn’t cause any harm.
- Handling attackers to ensure that applications behave appropriately when being attacked, taking suitable defensive and offensive measures to frustrate the attacker.
- Reporting any kind of malicious activity to administrators.
Here the most important is the first one Handling user access because an application has to deal with several categories of users such as anonymous users, authenticated users, and administrative users, and these users are further categorized according to their roles in a particular application. Furthermore, in many situations, different users are permitted to access a different set of data such as a webmail user is only able to read their own mail but not of others.
Most web applications handle user access with a trio of interrelated security mechanisms:
- Session Management
- Access Control
Authentication is a way through which we prove Who we claim to be. It is logically the most basic dependency in an application user’s handling. The importance of authentication can be clear from a point that without authentication everyone is treated as anonymous which is The lowest possible level of trust. It is also termed as authn. The majority of today’s web applications employ the conventional authentication system in which we have to submit a username or our mail id and password, Which the application checks for validity but nowadays some applications are using extra challenges for login such as OTP or it uses smart cards and various other factors. In addition to this login facility authentication also employs a range of features like registration, account recovery, and password change functionality.
Common Vulnerabilities :
- Weak credentials: They can be easily guessed by an attacker and leads to account takeover.
- Brute-Forcible login: Due to no rate limit flaw brute-forcing username and password is possible.
- Verbose failure message: Sometimes error message displays extra information which indirectly favors the attacker.
It is obvious to see that high-privileged accounts are created using the predictable usernames and passwords like admin and admin respectively, which is not a big task for any skilled hacker to enter and get access to.
- Use strong credentials.
- Handle credentials Secretively.
- Validate credentials properly.
- Use captcha.
Session management is the mechanism through which an application uniquely identifies a given user across a number of different HTTP request and handle the data that it contains about the state of the user’s interaction with the application. In simple words, we can say that when a user successfully logged in to an application, he accesses various pages and functions by making a series of requests from his browser. At the same time the application receives other countless requests from different user some of whom are authenticated while some are anonymous, here comes the role of the session which identifies and process the series of requests that originate from individual users.
The session itself is a set of data structures held on the server that tracks each unique user interaction with the application. The token is a unique string that is mapped to the session by the application.
- Weakness in Session Token Generation: Tokens are predictable due to weakness in session Token Generation.
- Weakness in Session Token Handling: Sometimes tokens are exposed in the URL or logs which can be accessed by the attacker.
Sometimes the session token generated is so obvious that the attacker is able to predict other users’ session tokens.
Securing Session Management:
- Generate strong tokens
- Protect tokens throughout their life cycle
Access control is the final step in handling users and also the important step as it has to make and enforce decisions about whether each individual request should be permitted or denied this mechanism is totally dependent on the previous mechanisms because if the applications know the correct identity of the user who issued the request then an application can simply decide whether it is a genuine access request or a fake one. An application might support numerous user roles, each of which involves different privileges. Individual users may be permitted to access a subset of the total data held within the application. That’s why it is always suggested to provide the least privilege to a user to do his job.
- Vertical privilege escalation: When users with lower privileges are able to access resources of higher privilege users.
- Horizontal privilege escalation: When a user accesses the resources of another user who have the same privileges as that of the attacker.
- Business logic exploitation: When due to some flaw in the application an attacker is able to access key resources of the application.
Suppose there is a UID parameter in the request that due to weak access control if an attacker tries to fill an anonymous ID he gets access as a different user like entering 124 in place of 123
Securing Access Control:
- Deny access to functionality by default.
- Do not just hide functions.
- Implement a multilayered privilege model.
How They Are Interdependent?
Now, as we know that this trio is highly interdependent, and a weakness in any one of them will undermine the effectiveness of the complete access handling mechanism.
For example, a defective authentication mechanism may enable an attacker to log in as any user and gain unauthorized access. If session tokens can be predicted, an attacker may be able to masquerade as any logged-in user and gain access to their data. If access controls are broken, then any user may be able to directly use functionality that is supposed to be protected.
The major problem is that it is difficult to differentiate between a legitimate user and an attacker during access control as both of them send the same requests but the difference is that the attacker always tries to give information to the victim user to get access due to all these aspects’ user’s access is more prone to attack.