Watch for Authentication Bypass Vulnerabilities - Page 2
Obscuring restricted URLs
Some Web applications or devices maintain a list of URLs that are restricted and prompt the user for authentication credentials before allowing the user to access these URLS. The question that hackers ask is whether there are alternative URLs, which are not on the "restricted list", which point to the same restricted pages?
For example, imagine a restricted Web page:
or add some other character like "?" or "%" or "~"? In some cases these URLs are effectively equivalent, even though they look different. If the authentication mechanism only checks for the original URL but not the variations then it can easily be bypassed.
SQL injection can be used to bypass authentication by fooling a login page into evaluating an expression that is always true instead of checking that a login name and password is valid.
So, for example, the authentication mechanism might involve an expression like:
(authorise a user) WHERE Password='$password'
Using a Web interface, when prompted for his password, a malicious user might enter:
ABC' or '1' = '1
resulting in the query:
(authorize a user) WHERE Password='ABC' OR '1' = '1'
The hacker has effectively injected a whole OR condition into the authentication process. Worse, the condition '1' = '1' is always true, so this SQL query will always result in the authentication process being bypassed.
Preventing authentication bypass vulnerabilities
Authentication bypass vulnerabilities can have so many different root causes that it is impossible to give a comprehensive list of measures to take to prevent them. But steps you can take include:
- Use the Metasploit penetration testing framework http://www.metasploit.com/ to check for known authentication vulnerabilities in your IT infrastructure.
- If you are developing your own authentication code, be alert for possible buffer overflow errors or SQL injection vulnerabilities.
- Be aware of the sorts of vulnerabilities outlined in this article.
- As ever, ensure that your applications are patched and up to date, and your network hardware is running the latest firmware.