Watch for Authentication Bypass Vulnerabilities - Page 2

You wouldn't build a person-sized cat door into a bank vault, but when your Web app or management tool assumes perfect behavior from your users, you're setting yourself up for similar failure.

 By Paul Rubens
Page 2 of 2   |  Back to Page 1
Print Article

Obscuring restricted URLs

Some Web applications or devices maintain a list of URLs that are restricted and prompt the user for authentication credentials before allowing the user to access these URLS. The question that hackers ask is whether there are alternative URLs, which are not on the "restricted list", which point to the same restricted pages?

For example, imagine a restricted Web page:


What if a hacker were to append an extra "/" at the end of this URL:


or add some other character like "?" or "%" or "~"? In some cases these URLs are effectively equivalent, even though they look different. If the authentication mechanism only checks for the original URL but not the variations then it can easily be bypassed.

SQL injection

SQL injection can be used to bypass authentication by fooling a login page into evaluating an expression that is always true instead of checking that a login name and password is valid.

So, for example, the authentication mechanism might involve an expression like:

(authorise a user) WHERE Password='$password'

Using a Web interface, when prompted for his password, a malicious user might enter:

ABC' or '1' = '1

resulting in the query:

(authorize a user) WHERE Password='ABC' OR '1' = '1'

The hacker has effectively injected a whole OR condition into the authentication process. Worse, the condition '1' = '1' is always true, so this SQL query will always result in the authentication process being bypassed.

Preventing authentication bypass vulnerabilities

Authentication bypass vulnerabilities can have so many different root causes that it is impossible to give a comprehensive list of measures to take to prevent them. But steps you can take include:

  • Use the Metasploit penetration testing framework http://www.metasploit.com/ to check for known authentication vulnerabilities in your IT infrastructure.
  • If you are developing your own authentication code, be alert for possible buffer overflow errors or SQL injection vulnerabilities.
  • Be aware of the sorts of vulnerabilities outlined in this article.
  • As ever, ensure that your applications are patched and up to date, and your network hardware is running the latest firmware.
This article was originally published on Dec 9, 2010
Get the Latest Scoop with Networking Update Newsletter