Exploiting Poor Authorization and Authentication

Опубликовано: 26 Июль 2020
на канале: VISTA InfoSec

163

What is Poor Authorization and Authentication?

Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. Weaker authentication for mobile apps is fairly prevalent due to a mobile device's input form factor. The form factor highly encourages short passwords that are often purely based on 4-digit PINs.
In traditional web apps, users are expected to be online and authenticate in real-time with a backend server. Throughout their session, there is a reasonable expectation that they will have continuous access to the Internet.
In mobile apps, users are not expected to be online at all times during their session. Mobile internet connections are much less reliable or predictable than traditional web connections. Hence, mobile apps may have uptime requirements that require offline authentication. This offline requirement can have profound ramifications on things that developers must consider when implementing mobile authentication.

 How can you detect Poor Authorization and Authentication?
To detect poor authentication schemes, testers can perform binary attacks against the mobile app while it is in 'offline' mode. Through the attack, the tester will force the app to bypass offline authentication and then execute functionality that should require offline authentication. As well, testers should try to execute any backend server functionality anonymously by removing any session tokens from any POST/GET requests for the mobile app functionality.
To test for poor authorization schemes, testers can perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege while the mobile app is in 'offline' mode. As well, testers should try to execute any privileged functionality using a low-privilege session token within the corresponding POST/GET requests for the sensitive functionality to the backend server. Poor or missing authorization schemes allow an adversary to execute functionality they should not be entitled to using an authenticated but lower- privilege user of the mobile app. Authorization requirements are more vulnerable when making authorization decisions within the mobile device instead of through a remote server. This may be a requirement due to mobile requirements of offline usability.

 Impact of Poor Authorization and Authentication

Attackers can take over several attacks at a time. From there, they have the potential to place fraud orders, transfer money, or steal information.

 How can you prevent Poor Authorization and Authentication attacks?
Developers should assume all client-side authorization and authentication controls can be bypassed by malicious users. Authorization and authentication controls must be re-enforced on the server-side whenever possible.
Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app’s code. If this is the case, developers should instrument local integrity checks within their code to detect any unauthorized code changes. See M10 for more information about detecting and reacting to binary attacks.

Stay Connected
🐥Twitter:   / vistainfosec
🛄 Linkedln:  / vist.  .
👍 Facebook:   / vistainfosec

More Free Resources
Blog: https://www.vistainfosec.com/blog/
Webinars: https:https://www.vistainfosec.com/webinar.php

About Us
Established in 2004, VISTA InfoSec is involved from Day one in providing vendor-neutral consulting services in the areas of Information Risk Compliance and Infrastructure Advisory Services. Vista Infosec most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST, GDPR, ISO 27001. Having offices in Mumbai, Singapore, USA and offering services to clients all over the world.

For more about Vista InfoSec: https://www.vistainfosec.com/
Contact us today: https://www.vistainfosec.com/contact-...
Phone Number: +91 9987244769
Email: [email protected]