What is an Authentication Hacking attack?
Authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.
HTTP can embed several different types of authentication protocols. These include::
* Basic - Cleartext username/password, Base-64 encode (trivially decoded)
* Digest - Like Basic, but passwords are scrambled
* Form-based - A custom form is used to input username/password (or other credentials) and is processed using custom logic on the backend.
* NTLM - Microsoft's proprietary authentication protocol, implemented within HTTP request/response headers.
* Negotiate - A new protocol from Microsoft that allows any type of authentication specified above to be dynamically agreed upon by the client and server. Also adds Kerberos for clients using Microsoft's IE v5+.
* Client-side Certificates - Although rarely used, SSL/TLS provides an option that checks the authenticity of a digital certificate present by the Web client, essentially making it an authentication token..
These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded right in the request/response traffic.
This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).
What an attacker can do if your site is vulnerable
When the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
This means that if the attacker manages to enter as a normal user, he might have limited access to only view some important information. On the other hand, if he manages to enter as an administrative user with global access on the system, he would have almost total control on the application together with its content (with the limitations of the web application in itself).
The attacker tools
Generally an attacker first tries to gain access to the prompt/login screen where the application would request a login and password. The next step would be to enter a correct match of login and password that the application would recognise as correct and which has high privileges in the system.
although this is not the best method but he can also bruteforce these passwords because html logins are easy to bruteforce
How to test any pages that require authentication
To test the strength of your authentication mechanisms, use an authentication tester. A Web Vulnerability Scanner includes an authentication tester, and you will be able to configure it to automatically test all your pages that require authentication.
Preventing Authentication Hacking attacks
To verify whether an attack phase has succeeded or not, automated tools assess the returned error codes and page information from the host web server. A secure practice is to force any error or unexpected request to generate a HTTP 200 OK response, instead of the numerous 400 type errors. This will make it more difficult for the attacker to distinguish between valid and invalid login attempts.
An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser.(CAPTCHA) The client must be capable of successfully submitting this random content as part of the authentication process to proceed further in the web site or application. The best way to do this is to present the random phrase in a graphic GIF, JPG or PNG format using random fonts or colours each time. This can make it almost impossible for an automated process to succeed. See screenshot below for an example
Authentication plays a critical role in the security of web applications. When a user provides his login name and password to authenticate and prove his identity, the application assigns the user specific privileges to the system, based on the identity established by the supplied credentials.
HTTP can embed several different types of authentication protocols. These include::
* Basic - Cleartext username/password, Base-64 encode (trivially decoded)
* Digest - Like Basic, but passwords are scrambled
* Form-based - A custom form is used to input username/password (or other credentials) and is processed using custom logic on the backend.
* NTLM - Microsoft's proprietary authentication protocol, implemented within HTTP request/response headers.
* Negotiate - A new protocol from Microsoft that allows any type of authentication specified above to be dynamically agreed upon by the client and server. Also adds Kerberos for clients using Microsoft's IE v5+.
* Client-side Certificates - Although rarely used, SSL/TLS provides an option that checks the authenticity of a digital certificate present by the Web client, essentially making it an authentication token..
These authentication protocols operate right over HTTP (or SSL/TSL), with credentials embedded right in the request/response traffic.
This kind of attack is not a technological security hole in the Operating System or server software. It depends rather on how securely stored and complex the passwords are and on how easy it is for the attacker to reach the server (network security).
What an attacker can do if your site is vulnerable
When the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
This means that if the attacker manages to enter as a normal user, he might have limited access to only view some important information. On the other hand, if he manages to enter as an administrative user with global access on the system, he would have almost total control on the application together with its content (with the limitations of the web application in itself).
The attacker tools
Generally an attacker first tries to gain access to the prompt/login screen where the application would request a login and password. The next step would be to enter a correct match of login and password that the application would recognise as correct and which has high privileges in the system.
although this is not the best method but he can also bruteforce these passwords because html logins are easy to bruteforce
How to test any pages that require authentication
To test the strength of your authentication mechanisms, use an authentication tester. A Web Vulnerability Scanner includes an authentication tester, and you will be able to configure it to automatically test all your pages that require authentication.
Preventing Authentication Hacking attacks
To verify whether an attack phase has succeeded or not, automated tools assess the returned error codes and page information from the host web server. A secure practice is to force any error or unexpected request to generate a HTTP 200 OK response, instead of the numerous 400 type errors. This will make it more difficult for the attacker to distinguish between valid and invalid login attempts.
An important measure in stopping automated brute-force authentication attacks is by adding random content on the page presented to the authenticating client browser.(CAPTCHA) The client must be capable of successfully submitting this random content as part of the authentication process to proceed further in the web site or application. The best way to do this is to present the random phrase in a graphic GIF, JPG or PNG format using random fonts or colours each time. This can make it almost impossible for an automated process to succeed. See screenshot below for an example
