Authentication Endpoints — Potential Security Vulnerabilities
Many threat actors are motivated and tempted to take over user accounts for innumerous illegitimate reasons, and their most intuitive spots to initiate these attacks are against authentication endpoints of different web applications.
These malicious acts appealing them for various doubtful incentives. Among the threat actors’ most favored reasons behind mass accounts take over are:
- Account Sharing
For example, taking over accounts with active paid subscriptions such as Netflix, Spotify, etc. could be easily offered for sale at a discounted price - Abuse of Social Accounts
For example, taking over social accounts such as Facebook or Instagram to share fake content — usually on behalf of a brand with a lot of followers or blackmail using a ransom demand in exchange for releasing a hijacked account - Confidential Data Theft
For example, collecting users’ personal data such as credit cards for fraudulent transactions or contact details for spam marketing emails
Why specifically authentication endpoints?
Authentication endpoints constitute the personal entrance gate of web applications and websites users and their’s sensitivity is needless to say; There are different ways to interact and authenticate against these endpoints and each has its own weaknesses. Gaining malicious access to user accounts might result in heavy damage both for the specific affected user and to the reputation and revenues of the attacked enterprise.
Authentication endpoints are vulnerable to numerous cyber-security attacks that you should consider when building and exposing them to the public.
Whether you build and maintain your own auth endpoints or if you integrate third-party auth providers to expose them, in this write-up, I would like to list & describe some of the infamous common authentication endpoint attacks that you should be familiar with to protect your endpoints before going public.
What attacks should I watch out for?
The following list contains links to each attack’s explanation & mitigation options:
Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
This attack can be found commonly where the application or admin sets a default password for the new users.
A brute force attack is a popular cracking method: by some accounts, brute force attacks accounted for five percent of confirmed security breaches. A brute force attack involves ‘guessing’ username and passwords to gain unauthorized access to a system. Brute force is a simple attack method and has a high success rate.
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
I hope you enjoyed reading this part of my article and learned something new about potential authentication endpoints attacks.
In Part 2 of this post, I’ll elaborate on different tools and mechanisms to mitigate and protect against such attacks. Stay tuned!
References:
