This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Bypassing Authentication Schema (OTG-AUTHN-004)"

From OWASP
Jump to: navigation, search
(Description of the Issue)
(Bypassing authentication schema methods)
Line 31: Line 31:
  
 
[[Image:basm-directreq.jpg]]
 
[[Image:basm-directreq.jpg]]
 +
 +
The request of authentication
  
 
In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede  a qualche risorsa richiamandola  direttamente si puo' bypassare lo schem di autenticazione
 
In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede  a qualche risorsa richiamandola  direttamente si puo' bypassare lo schem di autenticazione
Line 42: Line 44:
 
For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.
 
For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.
  
'''Session Issue'''
+
'''Session Issues'''
 
* Session ID Prediction
 
* Session ID Prediction
 +
 +
[[Image:basm-sessid.jpg]]
 +
 +
[[Image:basm-sessid2.jpg]]
 +
 
* Session Fixation
 
* Session Fixation
 
+
 
 
'''Sql Injection (HTML Form Authentication)'''
 
'''Sql Injection (HTML Form Authentication)'''
  

Revision as of 14:23, 11 November 2006

OWASP Testing Guide v2 Table of Contents

Brief Summary


While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.

Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.

In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.

Description of the Issue


Problems related to Authentication Schema could be found at different stages of software development life cycle (SDLC), like design, development and deployment phase.

Examples of design errors include a wrong definition of application parts to be protected, the choice of not applying strong encryption protocols for securing authentication data exchange, and many more.

Problems in development phase are for example the incorrect implementation of input validation functionalities, or not following the security best practices for the specific language.

In addition there are issues during application setup (Installation and configuration activities) due to a lack in required technical skills, or due to poor documentation available.


Black Box testing and example

There are several methods to bypass the authentication schema in use by a web application:

  • Direct page request
  • Parameter Modification
  • Session ID Prediction
  • Session Fixation
  • Sql Injection


Bypassing authentication schema methods

Direct page request

Basm-directreq.jpg

The request of authentication

In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede a qualche risorsa richiamandola direttamente si puo' bypassare lo schem di autenticazione

Parameter Modification

Basm-parammod.jpg

In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione

For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.

Session Issues

  • Session ID Prediction

Basm-sessid.jpg

Basm-sessid2.jpg

  • Session Fixation

Sql Injection (HTML Form Authentication)


Basm-sqlinj.jpg

Basm-sqlinj2.gif


Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.