Insecure Authentication

Authentication defines the processes required to authenticate an identity or data. Insecure authentication includes all vulnerabilities that occur due to incomplete or incorrect use of these processes.

Note: Authentication and Authorization often need clarification. Authorization involves the processes related to the privilege after the verification process. Authentication deals with verifying who you are, while authorization deals with verifying what you can do.

Incorrect or incomplete authentication mechanism configurations allow cyber attackers to act as legitimate users. This allows an attacker to expand their privilege by accessing areas they wouldn't normally reach and see data they shouldn't. In addition, the ability of an attacker to act like any real user may endanger the data or workflows within the application and other relevant users.

All verification bypass vulnerabilities within applications, using verification methods only on the client-side, simple/predictable credentials, long-term valid verification tokens, use of predictable captcha, use of session codes in URLs can be given as examples of these vulnerabilities.

In addition, some vulnerabilities that cannot be detected over the Internet, such as not storing the data used for authentication correctly on the databases, keeping the critical data used in authentication as clear text in the logs, are also included in this category.

In the circumstances that any vulnerability is detected in the Insecure Authentication category, the following topics should be taken into consideration (precedence of the case might change to vulnerability state and application's specifications).

• After the vulnerability is detected, it should be determined whether cyber attackers triggered the vulnerability by examining the logs historically.
• If there are accounts that are affected by the vulnerability, actions that will secure these accounts (notification, password change, disabling account, etc.) should be performed.
• Situations that require updating within the application should be put into production after testing.
• Using 2-Factor-Authentication reduces risks in most cases.

Common Weakness Enumeration (CWE) Regarding Insecure Authentication

In the world of software and computer systems, there are common mistakes or weak spots that developers might accidentally introduce. These mistakes can make the software or system vulnerable to attacks or failures.

Common Weakness Enumeration (CWE)  is a big list of all these common mistakes, so that developers could check against it and avoid making the same errors.

CWE-836: Use of Password Hash Instead of Password for Authentication

This vulnerability occurs when a system or application stores and uses password hashes for authentication instead of the actual passwords. Storing and using password hashes provides an added layer of security as it makes it difficult for attackers to retrieve the original passwords. It is considered a best practice to use password hashes for authentication purposes to protect user credentials.

CWE-603: Use of Client-Side Authentication

Client-Side Authentication is a vulnerability that arises when an application relies on the client, such as your web browser or a mobile app, to perform the authentication process. This is akin to handing over the keys to your house to someone else and trusting them not to enter without your permission. If exploited, an attacker can bypass the authentication process and gain unauthorized access to sensitive data or functionalities. To prevent this, it's recommended to perform authentication on the server-side, where it's under the control of the application's owner. This principle is part of secure software development and is essential to maintaining a robust defense against cyber threats.

CWE-804: Guessable CAPTCHA

Guessable CAPTCHA is a vulnerability that occurs when the CAPTCHA test, which is designed to differentiate human users from automated systems, is too easy to figure out. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and it's commonly used to strengthen security by preventing automated attacks like spamming or credential stuffing. However, if the CAPTCHA is too simple, automated systems or even human attackers may be able to guess it, bypassing this security measure. To mitigate this risk, it's recommended to utilize complex, dynamic CAPTCHA tests that are more challenging for automated systems to solve. This contributes to secure software development and enhances the overall cybersecurity of the system.

CWE-307: Improper Restriction of Excessive Authentication Attempts

The CWE-307, or Improper Restriction of Excessive Authentication Attempts, represents a weakness in a system's design where it does not adequately limit the number of failed login attempts. Essentially, this means a system allows too many incorrect guesses for things like passwords, giving cyber attackers the opportunity to 'brute force' their way in by trying numerous combinations until they get it right. To safeguard against this vulnerability, it's essential to implement measures such as account lockouts or delays after a certain number of failed attempts. These steps deter automated attacks and significantly enhance the overall cyber security of a system.

CWE-308: Use of Single-factor Authentication

CWE-308, or Use of Single-factor Authentication, is a common security flaw in software systems. In layman's terms, it's like using just one lock on your front door when you could use two or three. This system relies on only one method of confirming a user's identity, for instance, a simple password. This might seem adequate, but it leaves the system vulnerable to cyber attacks. If this one 'lock' is broken - say, if a hacker guesses your password - they gain unhindered access to the system. To combat this, it is recommended to use multi-factor authentication which involves two or more methods of verifying a user's identity. This might include something you know (like a password), something you have (like a mobile phone to receive a verification code), and something you are (like a fingerprint or other biometric method). This layered approach significantly strengthens the system's defenses, making it much harder for an attacker to break in.

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-307, known as Improper Restriction of Excessive Authentication Attempts, refers to a security flaw where a system or application does not adequately limit the number of times a user can attempt to authenticate. In simpler terms, it's like allowing an unlimited number of tries to unlock a door, without ever changing the lock or calling the police. This makes it easier for cyber attackers to keep guessing the right keys – passwords in our context – until they eventually succeed. To mitigate this risk in secure software development, it's crucial to introduce a limit on the number of failed login attempts. After reaching this limit, the account could be temporarily locked or a security alert could be triggered. This adds an important layer of defense and helps maintain a robust cyber security posture.

CWE-305: Authentication Bypass by Primary Weakness

CWE-305, also known as Authentication Bypass by Primary Weakness, is a security flaw that occurs when an attacker finds a way to slip past the authentication procedures of a system. Simply put, it's like finding an unlocked backdoor into a secured house, bypassing the need for a key entirely. This vulnerability allows cyber attackers to gain unauthorized access without knowing the proper credentials (like a username and password), making it a serious concern in the realm of cyber security. To prevent this in secure software development, it's vital to ensure that all access points to a system are secured and regularly audited for potential weaknesses. This includes thorough testing and code reviews to identify and fix any security loopholes that might allow an attacker to bypass authentication.

CWE-301: Reflection Attack in an Authentication Protocol

CWE-301, also referred to as a "Reflection Attack in an Authentication Protocol," is a type of security vulnerability where an attacker tricks a system into authenticating itself. Imagine this scenario: someone knocks on your door, claiming to be a police officer. You ask for identification, and they show you your own ID that they had somehow stolen. You've just fallen victim to a 'reflection attack'. Similarly, in a reflection attack, a cyber attacker mimics the system's credentials back to it, tricking the system into thinking it's communicating with a legitimate user. This can lead to unauthorized access and potential data breaches. To prevent such attacks in software development, it's crucial to ensure robust and secure authentication protocols. These protocols should be designed to effectively verify the identities of all users and systems before granting access, thereby minimizing the risk of reflection attacks and enhancing the overall cyber security posture.

CWE-303: Incorrect Implementation of Authentication Algorithm

CWE-303, known as "Incorrect Implementation of Authentication Algorithm," refers to a situation where the authentication algorithm in a software system is not implemented correctly. This can be likened to having a complex lock on your front door, but accidentally leaving a spare key under the doormat. Even though you have a robust lock (the authentication algorithm), a mishandling in its implementation (the spare key under the doormat) can open the door for cyber attackers to gain unauthorized access. These vulnerabilities could potentially lead to data breaches or system compromises. To avoid this, it's crucial to follow best practices in secure software development, including implementing authentication algorithms accurately and securely. This includes thorough testing and regular audits to ensure the correctness of algorithm implementation and the overall security of the system.

CWE-294: Authentication Bypass by Capture-replay

CWE-294, also known as "Authentication Bypass by Capture-replay," refers to a situation where an attacker can intercept and replay communication between two parties to gain unauthorized access. A simple analogy would be someone eavesdropping on your conversation and using the information gained to impersonate you. In software terms, the attacker captures a legitimate user's authentication details and replays them to trick the system. This security vulnerability can result in unauthorized access and potential data breaches. To avoid this, it's crucial to enforce secure communication protocols, use encryption, and regularly monitor system activities. These steps ensure that even if an attacker manages to capture the data, they won't be able to replay it effectively, maintaining the security of the system.

CWE-290: Authentication Bypass by Spoofing

CWE-290, also known as "Authentication Bypass by Spoofing," is another significant cyber security concern. Imagine someone pretending to be you, using your credentials to gain unauthorized access to your accounts. That's what spoofing is in the digital world. In terms of software, an attacker mimics a legitimate user to bypass the authentication process, gaining unauthorized access to the system. This breach can lead to significant data leaks and system compromises. Precautions against this include strong password policies, two-factor authentication, and continuous monitoring of system activities. These measures help ensure that even if an attacker tries to impersonate a legitimate user, the systems are in place to detect and prevent such unauthorized access.

CWE-289: Authentication Bypass by Alternate Name

CWE-289, or "Authentication Bypass by Alternate Name," refers to a cyber security vulnerability where attackers use different user names, or aliases, that a software system mistakenly recognizes as legitimate user. Think of it as someone using a phony ID to enter a restricted building; they're not who they say they are, but they still get in because the security guard failed to verify their identity correctly. In the digital realm, an attacker takes advantage of a flaw in the system's validation process, using an alternate name to bypass security checks and gain unauthorized access. This can lead to unauthorized data manipulation or theft. Preventative measures include:

• Meticulous user validation processes.
• Limiting the number of usernames associated with a single account.
• Employing robust monitoring to detect any suspicious activities.

These practices ensure the system remains secure and sensitive information protected. 

The Top 12 Insecure Authentication Vulnerability Scanning Tools  

The Top 12 insecure authentication vulnerability scanning tools that is used by our members:

• Pentaho <= 9.1 Spring API Authentication Bypass CVE-2021-31602 Scanner
• Jetty Authorization Bypass Vulnerability CVE-2021-34429 Scanner
• Zabbix Authentication Bypass Vulnerability CVE-2019-17382 Scanner
• Artifactory Access-Admin Login Bypass CVE-2019-9733 Scanner
• Nacos prior to 1.4.1 Authentication Bypass CVE-2021-29441 Scanner
• Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128) Scanner
• JBoss JMX - Console Beanshell Deployer Vulnerability (CVE-2010-0738) Scanner
• IPMI 2.0 Cipher Zero Authentication Bypass Scanner
• Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass CVE-2021-3297 Scanner
• ASUS GT-AC2900 - Authentication Bypass Vulnerability CVE-2021-32030 Scanner
• D-Link DIR-600M - Authentication Bypass Vulnerability CVE-2019-13101 Scanner
• HPE Edgeline Infrastructure Manager v1.21 Authentication Bypass CVE-2021-29203 Scanner