Skip main navigation

Threat Analysis

This video differentiates authorization and authentication and details how the authentication process works.
7.1
Welcome to the Broken Authentication session. In this first part, we will focus on threat analysis. We will take our time to dig into authentication flaws details. Then we will discuss how the system can be harmed, the impact of successful exploitation, and give you some insights to identify who may want to harm your system.
28.4
Let’s put things simple: in web applications context, authentication is the act of providing user’s identity. Authentication and authorization are two different things. The former is used to prove identity, and the later, access writes. Authentication in web application context is far beyond the login form. The signup, recover password, and the process by which the server maintains the state of the entity interacting with it for session management are also authentication mechanisms. To identify the party interacting with the system, such party has to provide authentication factors. Authentication factors can be grouped in these three main classes. Security research has determined that, for a positive authentication, elements from at least two, and preferably all three, classes should be verified.
83.1
Traditional web application forms use the weakest– single factor authentication, just requiring a knowledge factor, the password. When passwords leak, then this knowledge becomes shared knowledge, and it is no more a secret. When you you’re logging in, you’re saying, “I’m john.doe@somehost.com, and to prove you that, take my password and check it against your records”. The server takes your email and password and looks up the database for matching records. This is no different when someone else takes your email and password and performs the login on your behalf. Yes, it does, and in our exploitation session, we will change several authentication flaws together to get admin access. Let’s first discuss attack vectors, impact, and threat agents.
130.9
A simple search for username password combination lists will return millions of records as a result of authentication data leaks. Fitting this list in a software tool will be enough to compromise several web applications. There are plenty of free brute force automated attacking tools. It is just a matter of setting your target application and provide the username password lists, or even just let it compute all possible combinations. The most common authentication issues are well documented, and the information is generally available and easy to understand. Sometimes, your own application can be used against itself, abusing other issues, such as user enumeration, help compromising authentication.
171.7
An attacker with access to a victim’s account might be able to lock the victim out by replacing its email or passwords. Attacker can also impersonate the victim and perform system transactions. Applications might not be able to distinguish between transactions initiated by the victim or the attacker. Depending on the application domain, attackers with access to victims’ accounts might be able to perpetrate some kind of fraud. Attackers will always be able to gather victim’s profile data. Asking for ransom is quite common nowadays. Unfortunately, you’re fighting virtually anyone and anything. There are fully automated networks of computers trying to exploit authentication in several web applications, just using credential stuffing attacks based on leaked authentication data.
219
It is fairly easy to a non-tech malicious actor to perpetrate a brute force attack such as credential stuffing. Even just stealing user profile data will be rewarding since this data will always be valuable to someone else. Sometimes, authentication flaws, such as default or weak passwords, are abused inside the organization as a way to escalate privileges. Access to sensitive information may have a huge business impact. You’ll find this table in the OWASP Top 10. Pause the video and take your time to carefully read it. In the next part, we will exploit several authentication flaws in order to access the application as admin.

This video differentiates authorization and authentication and details how the authentication process works.

Authentication and authorization are different processes to protect your system, and they can be used together for optimal security. Authentication validates the identity of the user, while authorization grants permissions to the user. You will learn about the differences between these processes, with a focus on how authentication works, in this video.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education