Authentication Bypass
Overview
Description
Authentication Bypass is a type of vulnerability that allows the attacker to bypass the authentication process somehow. It is a more logical bug, and there is no fixed methodology to bypass authentication. The attacker has to understand how authentication is implemented in web applications.
Example
There are some common implementational mistakes in authentication, which can lead to Authentication Bypass.
1. Client-Side Authentication
- Some web applications provide credentials in javascript and validate them at the client-side.
- An attacker can debug javascript and get a password.
- This is a rare case but still exists.
2. Session ID in URL
-
Java Servlet supports URL rewriting, in which session id is appended to URL like,
http://site.com/profile;jsessionid=39BFAF1BA1JEF34D69AF2B0216C13BAF?dest=edit
-
If a user shares some URL, his session will also be shared with it, and anyone can access it.
-
servers logs
refer
field of an HTTP request, which will expose sessions of users.
3. Parameter modification
-
Some vulnerable applications verify session based on fixed HTTP parameter. E.g.,
http://site.com/admin/
will redirect tohttp://site.com/admin/loggedIn=true
after successful login. -
An attacker can hit URL
http://site.com/admin/loggedIn=true
and directly get access to the admin panel without authentication.
4. Direct page request (forced browsing)
- If the web application is enforcing authentication only on the homepage and not on internal pages, then once can access internal pages without authentication.
- for, e.g., HTTP://site.com/admin/
need authentication. But,
http://site.com/admin/view_users/` can accessible without authentication.
5. Session ID prediction
- After successful authentication, Web Applications provide session ID, which is stored inside cookies.
- Session ID should be random and not predictable.
- Few web applications provide sessions based on time, which is sequential and predictable.
Impact
- Unauthenticated users will be able to access restricted resources like user dashboards, admin panels.
Prevention
- Never use client-side authentication.
- Store Session ID in cookies and not send in URL.
- Validate authentication on each request.