Why Pentest Authentication?
Authentication controls are the first line of defense to protect application data and functionality. For this reason, pentesting authentication is an essential step in safeguarding applications against breaches and unauthorized user activities. This critical phase of a gray box pentest identifies vulnerabilities that could allow unauthorized users to access sensitive information.
Because there are so many types of authentication, each with its own complex set of features, this penetration testing stage can be challenging even for experienced pentesters. The following outlines key elements to consider when testing authentication systems.
Authentication vs Authorization
Understanding the difference between these two terms is essential as they are commonly conflated. Authentication is the process of verifying a user’s identity, ensuring that they are who they claim to be. Authorization, on the other hand, determines what level of access the authenticated user has to various resources or actions within the system. In other words, authentication answers the question, “Are you who you say you are?” while authorization answers, “What are you allowed to do?”
While these two terms overlap in concept, the methods of pentesting are distinctly different and will be covered separately.
Authentication Types
Web applications can implement various types of authentication, each with its own specific requirements for pentesting.
It’s also worth noting that authentication often overlaps with session management, meaning the authentication method will influence both the testing requirements and any associated limitations. The following sections break down common authentication methods and how they should be approached during pentesting.
Basic Authentication
This method, which relies on an encoded username and password, is widely recognized as inadequate for secure applications. However, it remains typical for less sensitive systems.
Cookie-Based Authentication
Cookie-based authentication requires careful testing, with particular attention to the handoff mechanism between authentication and cookie session management. Understanding how to pentest cookie-based applications is important as these two functions have many shared test cases.
Token-Based Authentication
Many modern applications will use stateless JWTs to enforce authentication and authorization. Understanding the nuances of JWTs is important for pentesters as this standard is not only widely used but also implemented in many different ways.
Soft Authentication
Any seasoned pentester will be familiar with the woes of “soft authentication.”
For less sensitive applications, it’s often desirable to forgo the use of passwords and allow access based on tokens, codes, or other IDs. While convenient, these methods come with vulnerabilities that can be exploited if not properly implemented.
Soft authentication schemes may be used to protect things like:
- Online delivery tracking
- Appointment confirmations
- Shopping cart receipts
- Shipping tracking details
An application pentest should aim to understand if these controls can be defeated.
Self-Registration
Securing user self-registration on online platforms presents significant challenges. This feature is inherently susceptible to abuse, but an application pentest will highlight potential areas of weakness.
Rate Limiting Signups
Anti-automation technologies, such as CAPTCHA, are often the go-to solution for preventing bots from creating accounts. Pentesters should review functionality like registration to determine if such controls are necessary.
Single Sign-On (SSO)
SSO is frequently overlooked during pentesting, especially considering the difficulty involved with setting up test environments. But including a properly configured SSO-enabled environment can help identify vulnerabilities that allow user impersonation or bypass authentication.
OAuth
OAuth 2.0 is the most common technology used to federate major identity providers and enterprise identity. This handoff between parties must be tested to detect misconfigurations, token leakage, and insecure token handling.
SAML
SAML (Security Assertion Markup Language) standard for exchanging authentication and authorization data between two parties. SAML assertions must be properly validated to ensure users cannot bypass access controls and escalate privileges.
Pentesting MFA
Multi-factor Authentication (MFA, or 2FA) is the widely adopted standard for reducing the impact of credential stuffing attacks. But MFA solutions vary drastically in design, and attackers can often bypass seemingly simple controls.
MFA Enforcement
Simply prompting users for an MFA token doesn’t guarantee they can’t bypass security measures and access application functionality. MFA authentication systems often use a two-step process where intermediate session tokens are granted after a user provides their password (but before they have provided their MFA token). For this reason, pentesters should attempt to use any session tokens granted to access functionality without providing MFA credentials.
MFA Brute Forcing
Pentesters should test whether MFA tokens can be brute forced. The pentest must ensure that the login process is terminated once a reasonable threshold of MFA failures is reached.
Other Authentication Vulnerabilities
Username Enumeration
Unsername Enumeration may exist on various types of functions, but system responses should be analyzed to ensure attackers cannot harvest sensitive data such as usernames.
Weak Password Policy
A pentest should evaluate the enforcement applicable password policies. If no specific policy is available, common standards such as NIST can be used. Testing should go a step further to try and bypass client-side controls that may be enforcing such policies.
No Account Lockout
Locking accounts, temporarily or permanently, should be used to mitigate password brute force attacks. Testing should assess the behavior and attempt to bypass this mechanism.
Session Fixation
After users are successfully authenticated, the application should give users a new random session identifier. This ensures that if a token was previously stolen, it cannot be used by other parties. This also prevents other attacks in which a malicious actor can force a user to employ a known session ID.
Forgotten Password Functionality
Login and logoff functions alone are rarely enough for modern applications. Forgotten password functionality, which allow users to reset their passwords, is crucial but often vulnerable to commonly overlooked security risks.
Tailoring Pentests for Robust Authentication Security
Pentesting authentication can vary significantly depending on the application, requiring pentesters to maintain both broad and in-depth expertise to thoroughly test all authentication schemes. The topics covered here serve as a foundational guide for pentesting web-based applications. Keep in mind that each customized feature demands tailored testing to ensure comprehensive security.