In many situation developers do not focus on protecting privileged pages
from privileged users so the mistakes that are covered in main login page
reappear in the change password, forget password or remember me
option.
Mistakes like allowing unlimited number of false login, providing different
message depending on bad or valid password and checking the validity of
password before matching with new password.
Another issue raise when dealing with Forgotten password, a weak
method might lead to use challenge questions that are much more easier
to break, like pet name or first name for mother..etc.
Another source of danger as mentioned is the option of remembering the
password which can be reflected using cookie based approach through
non encrypted or weak encryption that might allow the attacker to
understand the identifier used and generate similar one.
Attack requirement:
A. No or weak locking policy
B. Verbos messages for false and valid login
C. Storing password locally through weak identifier
Attack process:
A. For change and forgot password process is totally similar to brute
force process
B. As for the password remember option user should check for
cookies and any stored non encrypted or weakly encrypted value
or identifier by capturing and examining the sent request after
activating remember me option using a tool Like Burp proxy.
C. If the identifier can be easily generated, generate different
identifiers and iteratively check if this will allow compromising
other accounts using Burp to achieve that.
Impersonation Functionality
In many cases, application implements an impersonation functionality in order
to be able to control a user account by a privileged person in the organization.an
example is the case of a bank customer account and an account supervisor where
the supervisor has the privilege to access the customer account and execute
tasks on his behalf.
The main issue related to impersonation that the functionality is treated as
hidden functionality with minimal control over access or as a back door that can
be accessed through simple password.
Attack requirement:
A. The impersonation functionality is using a back door or hidden
functionality
B. Minimal control on the access through that functionality (vulnerable to
brute force or bad password)
Attack process:
Use the same process applied in brute force attack or bad password depending
on the case
Other issues
Other issues related password might be things like vulnerabilities caused by
inefficient handling of errors in login process or multistage login.
The storage of non-encrypted password values might also represent a serious
problem which makes the usage of MD5 or SH1 necessary to eliminate such
threat.
0 comments: