SECURITY TESTING IN APPLICATION AUTHENTICATION

AN APPROACH TO IDENTIFY THE VULNERABILITIES IN AUTHENTICATION OF SOFTWARE APPLICATION.

Introduction

You come across testing of different web and mobile applications. It can either be a feature, automation testing or a blend of both. In the present scenario, where all business transactions and data transfer is done through internet, the data confidentiality, integrity and availability is of utmost importance. Hence, the application also, needs to be tested for security threats. Security testing is a branch of software testing that ensures proper and flawless working of an application. It focuses on various elements of security such as confidentiality, authenticity, integrity, vulnerability and continuity. The main areas that need to be focused upon in order to be considered for security testing are network security, system software security, client-side application security and server-side application security. In case of a scenario where a user logs out of the application, clicking on the back button and verifying whether the user is able to log in again, is a basic security test. During the development of Oracle business mobile and web application, we came across a couple of security issues which we have highlighted in this document. The threats include the data extraction during user log in and unauthorized data manipulation of the request and responses from the application. Manipulation of unauthorized access permissions in Android also, lead to attacks such as BEAST and SWEET32. Each topic mentioned in this document describes the problem in detail and also, mentions the corrective steps to reproduce the issue and the solution that needs to be applied in order to avoid the vulnerability. This document speaks about Burp Suite, APK tool, Wireshark and Postman. These are some of the tools which are used for security testing scenarios and one must possess strong knowledge about it.

Security Threats

1. An adversary obtains sensitive information by bypassing authentication description.

Description

Adversary converts the failure response into success response and tries to log into the application.

Steps to Reproduce

Step - 1

Log in with an invalid password into the application and track response using Burp Suite tool.

Step - 2

Intercept using Burp Suite. User is able to see the failure error in the response (viewable once you click on the Forward button).

Step - 3

Edit the failure response with success response.

image
Step - 2

Intercept using Burp Suite. User is able to see the failure error in the response (viewable once you click on the Forward button).

image
Step - 4

Session invalidated as token expires and user gets logged out of the application.

Solution

This security breach is possible as the application does not implement proper mapping of the user to the corresponding accessibility privilege. The application should: 1. Implement server-side mapping of the user to the respective accessibility. 2. Implement strong session management. 3. Log the user out if parameters are tampered at any time.

2. An adversary can access the application posing as a different user by parameter.

Description

For an unsecure application, attackers can easily access/change the parameter exchange between client and server. By changing one of the parameters, for example, ‘username’ adversary will be able to access the application as a different user.

Steps to Reproduce

Step - 1

Log into the application using the credential ’anooprv’.

image
Step - 2

Turn on the intercept and catch the request using a tool (Burp Suite).

image
Step - 3

Copy the details, send it to repeater and change the user name parameter to ‘sushil jain’.

image
Step - 4

Tap on the ’Go’ button and check whether the response is returned.

image

User is getting the response even after changing one of the parameters like ‘username’ for the same session and the application gets logged in.

Solution

1. Implement proper mapping of user to their respective roles. 2. Hide all the sensitive information. 3. Session management should be implemented.

3. An adversary can access the application posing as a different user by parameter manipulation (horizontal escalation).

Description

This vulnerability is categorized under privilege escalation. There are two types of privilege escalation: vertical and horizontal. This type of security exploit is possible when the proper mapping of users to their accessibility privilege is not done.

• Vertical privilege escalation occurs when an attacker tries to gain higher privileges with regard to the resources that are protected at any specific level, for example, a user with normal privileges with an application trying to gain the admin access.

• Horizontal privilege escalation occurs when an attacker tries to gain same privileges which he already possesses, but takes the identity of another user with the same set of privileges. For example, someone gaining access to another person’s online bank account.

Steps to Reproduce

Step - 1

Install the Burp Suite tool in your machine and configure proxy for the browser in which you are opening the application.

Step - 2

Turn the intercept on Burp Suite and log into the application through browser using any valid user. The URL will be intercepted at Burp Suite.

image image
Step - 3

Modify the parameter username from the ‘logged in’ user to any other valid user for application and then switch the intercept off as given below. If modified to any user at the same privilege level, it will be a horizontal privilege escalation. Below example depicts the same.

image
Step - 4

You are navigated to the modified user in browser as shown below.

image

Solution

1. Implement server side mapping and the resources applicable to different privilege levels should be restricted to that level only.
2. Implement strong session management so that the user is forced to logout if any parameter manipulation or tampering occurs.

4. An adversary can obtain sensitive data using a direct URL without authentication.

Description

Authentication is a process that ensures and confirms identity of a user. In some applications, authentication is not enabled and it is easy for the attacker to get the sensitive information. An adversary can directly type the URL in the address bar of the browser and sensitive information can be accessed without any authentication. A valid user login into the application is not necessary to get the sensitive information.

Steps to Reproduce

Step - 1

Log into the application with Username: ‘ANOOPRV’ and Password: ’1234’.

image
Step - 2

Copy the login request URL and log out from the application.

Step - 3

Launch Postman tool and enter the copied request URL in Postman tool.

Step - 4

Enter the request parameters and send the request in Postman without authentication.

Step - 5

Verify the response of the corresponding URL.

Solution

URL should never contain sensitive or important information. Sensitive content should not be provided to the user without authentication and the following solutions can be implemented in the application. 1. Session management - The application should check for a valid user login and verify whether the user is authorized to access the document being requested.
2. File path protection - This method allows the documents to be located in a non-publicly accessible folder and the document path is not displayed to the end user.

5. An adversary guesses passwords via automated passwordguessing attacks.

Description

This is a Brute force attack which is tried against user accounts. In Brute force attack, the attacker systematically, checks all the combination of username and passwords with the intention of eventually, logging into the application. There are many tools available for Brute force password cracking attacks such as Aircrack-ng, John the Ripper, Rainbow Crack etc.

Steps to Reproduce

Step - 1

Open the application.

Step - 2

Enter valid username and invalid password in the respective fields.

Step - 3

Select the Login button. The application displays an error message, “The username or password you have entered is not correct.”

image
Step - 4

Repeat step 2 and 3 for five times.

Step - 5

Enter valid username and password in the respective fields.

Step - 6

Select the Login button. The verified user is able to log in.

The user should not be allowed to log into the application after a particular number of invalid login attempts.

Solution

1. Lock the user account on a temporary basis for some time after approximately 5 invalid login attempts.
2. Implement CAPTCHA mechanism on the login screen. A CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in computing to determine whether the user is human or not.

6. No OTP functionality present on login page.

Description

At present strong passwords are not mandatory for various applications. This allows hackers to easily access the application by guessing or by other methods. In order to provide an additional layer of security, it is essential to use OTP or other login security mechanism.

image

Solution

Deploy multi-factor authentication mechanism like fingerprint scan, OTP generation, physical token etc.

7. A local adversary can misuse authenticated sessions due to a high session-inactivity period.

Description

If the application does not have a session expiration time or if the session timeout period is too long then the attacker can access the sessions and get the information.

Steps to Reproduce

Step - 1

Launch the application with a valid user name and password.

Step - 2

Do not perform any changes on the application (after 30 minutes have passed).

Step - 3

It was observed that if the session is not getting terminated, the attacker can easily get access to the application.

Solution

Add session expiration time for the inactive period. Normally 30 minutes is the session expiration period.
Step 1 – Launch the app and log in with valid username and password.
Step 2 – Do not perform any changes on the application (after 30 minutes have passed).
Step 3 – User will get logged out.

image
8. An adversary can use IPC activity for unauthorized access to the application.

Description

The Inter Application Communication model (IAC) in Android is an inter-process communication or message passing system through which an app can utilize the functionalities of another app. For example, an app can send a message to a navigation app to display location. The below snippet from Android manifest shows that a broadcast receiver is exported explicitly leaving it accessible for any other applications.

Steps to Reproduce

Decompile the Android manifest file using ‘apktool’ and then open in notepad++ editor. A broadcast receiver is found in the xml file as highlighted below.

image

Solution

Do not use IPC as it can be accessed by all third-party applications on the device. Set the attribute to [exported= “false”]. This implies that the receiver is intended only for application’s internal use or it defines signature protection level permission in Android manifest file as given below.

image
9. Adversary hijack sessions as the session is not invalidated on logging out.

Description

A session token is assigned to the ‘logged in’ user, while logging into the application. Using this, session token user’s session is identified until logout. This session token should be properly invalidated when the user logs out from the application or else any adversary can hijack the user’s session using this session token.

Steps to Reproduce

Step - 1

Launch and log into the application using valid credentials.

Step - 2

Access any page and capture the request using “Burp” tool.

Step - 3

Send the request to repeater.

image
Step - 4

Log out from the application.

Step - 5

Go to repeater and select “Go “button and verify server response with the requested page.

image

Solution

The session should be invalidated once the user logs out of the application. Also, the session should be invalidated after a certain period of time.

10. The application does not invalidate the session on closing the application.

Description

The session id is a way to track whether the authenticated user identities are specific to any applications and are maintained at server side. Sometimes, the session remains active if the application is closed without logging out or when a mobile application goes on in the background. Therefore, if any adversary gets unauthorized access to the phone, it can perform malicious operations.

Steps to Reproduce

Step - 1

Log into application and navigate to any page.

Step - 2

Close the application without logging out.

Step - 3

Try to open the same URL again in the browser (if it is a mobile application, after the application is put into background, bring it back to foreground).

Step - 4

The session remains active and user can see the information in page.

Solution

1. Ensure that the session is invalidated or made inactive as soon as the user logs out of the application at server side.
2. Explicitly inactivate the session and do not wait for garbage collector or cookie expiration.
3. If it is a mobile app, do not allow it to run in the background. Forcefully, log out of the application when moved to background.

Below is an Android code snippet example.

image

For iOS, this is done by including app delegate ‘applicationdidenterbackground ‘to forcefully, terminate the user session at server.

11. The application has a weak password policy.

Description

An application with weak password policy is susceptible to attack. The major form of attack that can occur is password guessing. Users will give their own name, username, address, phone number, hobbies, pet’s name etc. as their password so that can be easily remembered. If the intruder has access to the server and executes the Finger utility command then he/she would be able to retrieve all the information of the users in the server. This command can be executed from Command prompt. The below screenshot shows how the password is viewable in the request and you can arrive at the conclusion that the password is same as the username and is a weak one.

image

Solution

Only the admin must have access to execute the Finger command in the server and by default avoid executing the command. Implement a strong password which takes into account the below mentioned criteria.
1. Password must have a minimum of 8 characters.
2. Password must not contain any personal information.
3. Must be different from the last passwords provided in the system. Enforce password history logic.
4. Words must not be spelled completely.
5. Password must contain characters from the four primary categories, including, uppercase and lowercase letters, numbers, and special characters.

12. The application allows concurrent user logins.

Description

Some Application allows the concurrent user logins for same account. The user can have the multiple session active at the same time from different browsers or machines. If the user needs to open the account in different browsers or different machines, you need to implement the concurrency in authentication. The concurrency in authentication has to be application specific. The issue with the concurrent authentication is that the logged in user is not aware of his /her account being accessed by others.

Steps to Reproduce

Step - 1

Consider online SBI application, log in with proper username and password.

Step - 2

Again, log into the account from a different browser or machine.

image

Solution

Concurrent logins should not be allowed.

Conclusion

The application layer is always the hardest to defend against security threat. The vulnerabilities which are present here usually depend on the input that is being given by the user. This layer is also the most accessible one and the most exposed to the outside world. Hence we would always need to give utmost importance to the authentication part of an application and prevent malicious attacks. The case study covers only a part of the attacks that can happen to the applications authentication.

Authors

Bipin M Nair
Senior Software Test Engineer
RapidValue Solutions

Rahul RS
Senior Software Test Engineer
RapidValue Solutions

Soniya Varghese
Senior Software Test Engineer
RapidValue Solutions

image

Neena Elizabeth Varghese
Software Test Engineer
RapidValue Solutions

image

Rosu Antu
Software Test Engineer
RapidValue Solutions

If you’d like to know more about Security Testing, please reach out to us at contactus@rapidvaluesolutions.com We’d be happy to hear from you!

How can we help you?