Why User’s Access is Prone to Attack?
An application’s mechanism for handling user access only as strong as the weakest of these components.
Have you ever wondered about the above statement and why user access is considered as the weakest component, well if you haven’t wondered about this than then there is no problem but you must be aware of some important concepts of user’s access?
The defense mechanism employed by web applications consist of the following points :
- Handling user’s access to the data and functionality of Application and prevent them from getting unauthorized access.
- Handling user’s input in such a way that it doesn’t cause any harm.
- Handling attackers to ensure that applications behave appropriately when being attacked, taking suitable defensive and offensive measures to frustrate the attacker.
- Reporting any kind of malicious activity to administrators.
Here the most important is the first one Handling user’s access because an application has to deal with several categories of users such as anonymous users, authenticated users, and administrative users, and these users are further categorized according to their roles in a particular application. Furthermore, in many situations, different users are permitted to access a different set of data such as a webmail user is only able to read their own mail’s but not of others.
Most web applications handle user’s access with a trio of interrelated security mechanism :
- Session Management
- Access Control
Authentication is a way through which we prove Who we claim to be. It is logically the most basic dependency in an application user’s handling. The importance of authentication can be clear from a point that without authentication everyone is treated as anonymous which is The lowest possible level of trust. It is also termed as authn. The majority of today’s web applications employ the conventional authentication system in which we have to submit a username or our mail id and password, Which the application checks for validity but nowadays some applications are using extra challenges for login such as OTP or it uses smart cards and various other factors. In addition to this login facility authentication also employs a range of features like registration, account recovery and password change functionality.
Common Vulnerabilities :
- Weak credentials: They can be easily guessed by an attacker and leads to account takeover.
- Brute-Forcible login: Due to no rate limit flaw brute-forcing username and password is possible.
- Verbose failure message: Sometimes error message displays extra information which indirectly favors the attacker.
It is obvious to see that high-privileged accounts are created using the predictable usernames and passwords like admin and admin respectively, which is not a big task for any skilled hacker to enter and get access.
- Use strong credentials.
- Handle credentials Secretively.
- Validate credentials properly.
- Use captcha.
Session management is the mechanism through which an application uniquely identifies a given user across a number of a different HTTP request and handle the data that it contains about the state of user’s interaction with the application. In simple words, we can say that when a user successfully logged in an application, he accesses various pages and functions by making a series of requests from his browser. At the same time the application receives other countless requests from different user’s some of whom are authenticated while some are anonymous, here comes the role of the session which identifies and process the series of requests that originate from individual user’s.
The session itself is a set of data structures held on the server that tracks each unique user interaction with the application. The token is a unique string that is mapped to the session by the application.
- Weakness in Session Token Generation: Tokens are predictable due to weakness in session Token Generation.
- Weakness in Session Token Handling: Sometimes token are exposed in the URL or logs which can be accessed by the attacker.
Sometimes the session token generated is so obvious that the attacker is able to predict other user’s session token.
Securing Session Management:
- Generate strong tokens
- Protect tokens throughout their life cycle
Access control is the final step in handling user’s and also the important step as it has to make and enforce decisions about whether each individual request should be permitted or denied this mechanism is totally dependent on the previous mechanisms because if the applications know the correct identity of the user who issued the request then an application can simply decide whether it is a genuine access request or a fake one. An application might support numerous user roles, each of which involves different privileges. Individual users may be permitted to access a subset of the total data held within the application. That’s why it is always suggested to provide the least privilege to a user to do his job.
- Vertical privilege escalation: When users with lower privileges able to access resources of higher privilege users.
- Horizontal privilege escalation: When user access resources of another user who have the same privileges as that of the attacker.
- Business logic exploitation: When due to some flaw in the application an attacker is able to access key resources of the application.
Suppose there is a UID parameter in request than due to weak access control if an attacker tries to fill anonymous id’s he gets access as a different user like entering 124 in place of 123
Securing Access Control:
- Deny access to functionality by default.
- Do not just hide functions.
- Implement a multilayered privilege model.
How They Are Interdependent?
Now, as we know that this trio is highly interdependent, and a weakness in any one of them will undermine the effectiveness of the complete access handling mechanism.
For example, a defective authentication mechanism may enable an attacker to log in as any user and gain unauthorized access. If session tokens can be predicted, an attacker may be able to masquerade as any logged-in user and gain access to their data. If access controls are broken, then any user may be able to directly use functionality that is supposed to be protected.
The major problem is that it is difficult to differentiate between a legitimate user and attacker during access control as both of them send same requests but the difference is that attacker always try to give information of victim user to get access due to all these aspects’ user’s access is more prone to attack.