Last month we published a video demo called “Attacking Web Applications with Broken Authentication”. This shows a simple web application that relies on a cookie called “userid” for authentication. You might think that very few sites are vulnerable to this issue, but the truth is I came across this issue last year in a rather large European security conference. Some of the local ISPs also have this sort of security flaw.
What the video demonstrates is not just the flaw, but how to automate exploitation of such a flaw with a particular web application security tool. Check out the video below.
Also, (IN)SECURE Magazine was released yesterday so go grab it. Includes my personal views on security incidents and events of last year. Look out for “The year that Internet security failed”. Lots of articles look good but the following caught my eye:
- Improving network discovery mechanisms
- Scott Henderson on the Chinese Underground
- Playing with Authenticode and MD5 collisions
Oh .. and here’s the video:
Filed under: Site news | 2 Comments
Tags: acunetix wvs, fuzzer, insecure magazine, insecuremag, weak authentication, web application fuzzer
Good one Sandro,excellent explanation to find sites with weak auth mechanisms. Lessons to be learnt:
1. People – Don’t use the same password across various websites. You never know what auth mechanisms hosts have put in place. Use tools like PaswordHasher in Firefox.
2. Webmasters/Developers – Ensure that auth mechanisms never transmit sensitive data unencrypted. At the very minimum employ hashing algo’s together with salts over https. Lots more on this point but this post is not the place to discuss.
Regarding point 2: I suggest simply making use of the session cookie feature in most web application technologies, and avoiding reinventing the wheel.