Implementation Flaws in Authentication
Even a well-designed authentication mechanism may be highly insecure due to mistakes made in its implementation. These mistakes may lead to information leakage, complete login bypassing, or a weakening of the overall security of the mechanism as designed. Implementation flaws tend to be more subtle and harder to detect than design defects such as poor quality passwords and brute forcibility. For this reason, they are often a fruitful target for attacks against the most security-critical applications, where numerous threat models and penetration tests are likely to have claimed any low-hanging fruit. The authors have identified each of the implementation flaws described here within the web applications deployed by large banks.
Fail-Open Login Mechanisms
Fail-open logic is a species of logic flaw and one that has particularly serious consequences in the context of authentication mechanisms.
The following is a fairly contrived example of a login mechanism that fails open. If the call to db.getUser() throws an exception for some reason (for example, a null pointer exception arising because the user’s request did not contain a username or password parameter), then the login will be successful. Although the resulting session may not be bound to a particular user identity, and so may not be fully functional, this may still enable an attacker to access some sensitive data or functionality.
public Response checkLogin(Session session) {
try {
String uname = session.getParameter(“username”);
String passwd = session.getParameter(“password”);
User user = db.getUser(uname, passwd);
if (user == null) {
// invalid credentials
session.setMessage(“Login failed.”);
return doLogin(session);
}
}
catch (Exception e) {}
// valid user
session.setMessage(“Login successful.”);
return doMainMenu(session);
}
In the field, one would not expect code like this to pass even the most cursory security review. However, the same conceptual flaw is much more likely to exist in more complex mechanisms in which numerous layered method invocations are made, in which many potential errors may arise and be handled in different places, and where the more complicated validation logic may involve maintaining significant state about the progress of the login.
NEXT is..Defects in Multistage Login Mechanisms.,,,,,,,,,,
