AppSec Blog

Top 25 Series - Rank 19 - Missing Authentication for Critical Function

One of the most blatant examples I've seen of weak or missing authentication occurred with the online dating site SpeedDate.com. For a brief period of time passwords were not even required to log in to the application [1]. All you needed was the user id and a blank password and you would be signed on to the site with access to all the user's private messages and personal information.

Fortunately, authentication is usually not implemented so poorly but it is enough of a problem that CWE-306: Missing Authentication for Critical Function [2] is entry #19 in the new CWE/SANS Top 25. Another common authentication related weakness is CWE-307: Improper Restriction of Excessive Authentication Attempts [3] where an attacker can conduct a brute force password guessing attack.

A few years ago a friend and I were conducting a pen test of an internally deployed vendor product. This was a fun engagement because we were given the URL with no credentials or other information and simply told to hack the web site to retrieve confidential customer information. Just as we were about to run a brute force password attack on the site we noticed that the vendor documentation was deployed on the website along with the web application itself. The documentation revealed the default admin user id and password for the vendor product. These defaults were, of course, still valid on the system we were testing.

In the next post I'll talk about how we leveraged these weak authentication credentials to gain further access to the system.

Have you encountered other examples of extremely weak or missing authentication?

[1] http://techcrunch.com/2009/02/03/password-optionalhuge-security-breach-hits-speeddate/
[2] http://cwe.mitre.org/top25/#CWE-306
[3] http://cwe.mitre.org/data/definitions/307.html

Post a Comment - Cancel Reply






Captcha


* Indicates a required field.