• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Whenever you search in PBworks, Dokkio Sidebar (from the makers of PBworks) will run the same search in your Drive, Dropbox, OneDrive, Gmail, and Slack. Now you can find what you're looking for wherever it lives. Try Dokkio Sidebar for free.

View
 

Insufficient Authentication

Page history last edited by Robert Auger 12 years, 11 months ago

Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-01

 

Insufficient Authentication

Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.

 

To get around setting up authentication, some resources are protected by "hiding" the specific location and not linking the location into the main web site or other public places. However, this approach is nothing more than "Security Through Obscurity". It's important to understand that even though a resource is unknown to an attacker, it still remains accessible directly through a specific URL. The specific URL could be discovered through a Brute Force probing for common file and directory locations (/admin for example), error messages, referrer logs, or documentation such as help files. These resources, whether they are content- or functionality-driven, should be adequately protected.

 

Example

Many web applications have been designed with administrative functionality located directly off of the root directory (/admin/). This directory is usually never linked from anywhere on the web site, but can still be accessed using a standard web browser. The user or developer never expected anyone to view this page because it is not linked, so enforcing authentication is many times overlooked. If attackers were to simply visit this page, they would obtain complete administrative access to the web site.

 

References

NTLM, Wikipedia

[1] http://en.wikipedia.org/wiki/NTLM

 

Authentication, Wikipedia

[2] http://en.wikipedia.org/wiki/Authentication

 

Digest Authentication, Wikipedia

[3] http://en.wikipedia.org/wiki/Digest_access_authentication

 

Improper Authentication

[4] http://cwe.mitre.org/data/definitions/287.html

Comments (0)

You don't have permission to comment on this page.