Authentication methods for web applications

• Authentication to describe a flow that allows a system to identify a user.

• HTTP basic authentication performs authentication by attaching an Authorization
header on each request.
• The header consists of a string containing Basic: <base64-encoded user
name:password>.
• The server receives the username:password combination and, on each request, checks
it against the database.
• Today, most web applications choose from a suite of authentication architectures,
depending on the nature of the business.
• As of the present, there are at least four different authentication methods created
specifically for web applications and these are:
– basic authentication,
– digest authentication,
– forms-based authentication, and
– single sign-on (SSO) authentication and shared authentication.
• 1. Basic authentication is a form of authentication method wherein a certain file
with .htpasswd extension is needed and the document includes the credentials of the
person who has received consent to gain access into a resource.
encoding
1. Take the ASCII value of each character in the string.
2. Calculate the 8-bit binary equivalent of the ASCII values.
3. Convert the 8-bit chunks into chunks of 6 bits by simply re-grouping the digits.
4. Convert the 6-bit binary groups to their respective decimal values.
base64 encoding
5. Using a base64 encoding table, assign the respective base64 character for each
decimal value.
• converting the string "Python" to a Base64 string.
• The base64 encoding values of the characters P, y, t, h, o, n are 15, 50, 45, 33, 40,
39 respectively.
1. 01010000 01111001 01110100 01101000 01101111 01101110
2. 010100 000111 100101 110100 011010 000110 111101 101110
• 20 7 37 52 26 6 61 46
• we can determine that "Python" is represented as UHl0aG9u when Base64 encoded.
• If we can intercept the credentials by sniffing or using a proxy like Burp Suite, there are a
number of tools available that can decode this simple Base64 encoding.
• 2. The second authentication scheme is the digest authentication and this is the
method that is widely used by the web servers in today’s time.
• This is utilized for the purpose of bargaining for credentials between the server and
the users.
• Digest authentication had been considered to be a very acceptable scheme but it did
not create that kind of impact, as based on the technical reports.
– A client makes a request without the Authorization header to a specific route in a
server application.
– A server responds to a client with a 401
– a client displays a login dialog where a user can enter credentials.
– A server validates credentials sent by a client and responds with the requested
content.
• Digest authentication is a bit more secure, but it vulnerable to replay attack.
• It creates a one-way hash (MD5) that is sent to the server for authentication.
Replay Attack
• 3. Forms-based authentication is mostly utilized among the three other authentication
schemes for the reason that it has a special capability to create a connection with the DBMS
and also to track user sessions.
• Form-based authentication is the more common form of authentication in HTTP.
• It is a highly customizable format that usually has HTML FORM and INPUT tags.
• the form has both username and password fields where the user enters this information
which is included in a GET or POST request over either HTTP or HTTPS.
• A client requests access to a protected resource.
• If the client is unauthenticated, the server redirects the client to a login page.
• The client submits the login form to the server.
• The server attempts to authenticate the user.
– If authentication succeeds, the authenticated user’s principal is checked to ensure that it
is in a role that is authorized to access the resource. If the user is authorized, the server
redirects the client to the resource by using the stored URL path.
– If authentication fails, the client is forwarded or redirected to an error page.
• If TLS or SSL is not enabled, though, the credential will be sent in plaintext.
• 4. The single sign-on authentication and shared authentication methods, which are

deemed as property of access control.

• 1. A user browses to the application or website they want access.
• 2. The Service Provider sends a token that contains some information about the user, like

their email address, to the SSO system, the Identity Provider, as part of a request to

authenticate the user.

• 3. The Identity Provider first checks to see whether the user has already been

authenticated, in which case it will grant the user access to the Service Provider

application and skip to step 5.

• 4. If the user hasn’t logged in, they will be prompted to do so by providing the credentials

required by the Identity Provider. This could simply be a username and password or it

might include some other form of authentication like a One-Time Password (OTP).
• 5. Once the Identity Provider validates the credentials provided, it will send a token back

to the Service Provider confirming a successful authentication.

• 6. This token is passed through the user’s browser to the Service Provider.
• 7. The token that is received by the Service Provider is validated according to the trust relationship

that was set up between the Service Provider and the Identity Provider during the initial

configuration.
• 8. The user is granted access to the Service Provider.
• Broken authentication can include automated attacks such as using a list in

a brute force or credential stuffing attack.

• Brute force is done by trying as many username and password combinations as

possible until getting the right one

• To prevent the use of rainbow tables to break this form of authentication, the

server sends a nonce which acts like a salt.

• This MD5 hash cannot be decrypted, but can be captured and replayed by the

attacker.

• Digest authentication is stronger than basic authentication because the credentials

are not sent over the insecure channel, just the MD5 hash of the credentials.

• It is difficult to crack this MD5 hash, the hash can be captured enroute to the

server. Once captured, it will provide anyone access to the account when it is

replayed.
• There are certain attacks that target the authentication schemes of web applications
and these include the following:
– brute force or dictionary attacks, phishing, and others like malware and
keyloggers.
• The tools utilized in this method of breaking into authentication schemes are Brutus,
wwwhack, AccessDriver, and thc-hydra.
• Certain defense systems were recommended to fight off this attack and these are the
use of URL scanners, OpenDNS, as well as the PhishTank.
• Scan your website with the Penetrator auditing software and see if you are vulnerable
to the different types of attacks.
• authentication mechanisms are easy targets for attackers, particularly
if the authentication mechanisms are fully exposed or public.
• These two points make the authentication component potentially
vulnerable to many exploits.
• Authentication in APIs has two sub-issues:
– Lack of protection mechanisms - API endpoints that are responsible for
authentication must be treated differently from regular endpoints and
implement extra layers of protection.
– Misimplementation of the mechanism - The mechanism is used or
implemented without considering the attack vectors, or the mechanism is
not appropriate for the use case.
– As an example, an authentication mechanism designed for IoT devices is
typically not the right choice for a web application like an eCommerce site.
• Technical factors leading to broken authentication in APIs are numerous and include:
– Weak password complexity
– Short or missing password history
– Excessively long durations for password and certificate rotations
– Authentication material exposed in URLs and GET requests
– Authentication tokens with insufficient entropy
– Use of API keys as the only authentication material
– Failure to validate authenticity of authentication material
– Insecure JSON Web token (JWT) configuration such as use of weak digital signature
algorithm or missing signatures
– Use of small key sizes in encryption or hashing algorithms
– Use of weak or broken ciphers
– Failure to step-up authentication if authentication flows are being targeted, such as
dynamically challenging with CAPTCHA or second factor authentication (2FA) material.