How to write secure code?

Protect yourself against Broken Auth & Session Management!

Need for Secure Code?

I have been working on secure coding practises and trying to learn as many essential points as possible. In the past few years of being in info-sec i have realised about the amount of damage a small vulnerability can have in the life of a common man. Cyber attacks like the WannaCry and Petya ransomware are pretty fresh in the mind of several people who suffered ’cause of it.

Still every passing day researchers are able to find one after the another highly severe bugs in the web apps and other domains. This trend won’t be going down unless programmers become self aware about the code they are writing. The code shouldn’t just be able to carry out the intended work it is supposed to but also be able to fend off any malicious payload and attack scenarios. The best way to do that is by being able to make a synergy between the coding and the security community and help each other out.

Let’s dig in!

So, this particular article of “How to write secure code?” is focused on the Broken auth problem and the Session management issue.

Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume the identity of another user.

In this article I will go through few different types such attacks and methods you can use to prevent against them :-

1. Hard-Coding login credentials

Hard Coding login credentials is one of the most rookie mistake a programmer can make as that is as good as serving credentials to the hackers on a silver platter. Sensitive data should never be hard coded.

Insecure Code - Hard coded creds

The code on the side is one of those examples where the login credentials are hard coded in the code written by the programer.

Whereas the code present below is an example where credentials are not hard coded in the program making it exponentially more secure than the ones where the creds are hard coded.

Secure Code - Creds are not hard coded

Such small differences can make a huge impact to the security of the application.

2. Cookie Manipulation

Cookie manipulation is rising as one of the most dangerous attacks that is carried out these days as more and more authentication process is carried out by checking the cookie details that is presented by the user.

Attackers are finding ways to break and figure out how the web apps assign cookies so as they can manipulate them and pose as some other user carrying out account takeover.

Let me demonstrate that how an attacker might take advantage ok weak cookie that are being assigned to the user or if the cookie are kept the same.

This image on the side is a login portal where we are going to carry out the attack & show the problems with weak cookie implementation.

Once we login into to the application we intercept the traffic in Burp-Suite to have a look at it and the cookies that are being passed over to authenticate us as a user.

Cookie details

The above image displays the four “Set-Cookie” parameters that is assigned when we try to login. These four different cookies login, PHPSESSID, show hints, username and the uid. We suspect that the uid is unique for each and every user. So we go ahead and tamper with the uid to check if we can get access of someone else’s account.

Modifying cookie

To capture the value of the cookie we use the Cookie Manager extension present in the browser and then pass the request. We change our “uid” from 24 to 12, as shown below.

Modified cookie

As soon as we modify the cookie value we can see that we have carried out an account takeover attack as we get access to the other user’s account.

The reason why this attack went through was that the PHPSESSID wasn’t modified at all before and after the user logged-in making the “uid” the only deciding factor for identifying which user has just signed-in to their account. As we can see above that is easily manipulated allowing the account takeover.

To avoid something like this from happening we need to re-assign the cookie after the login attempt and we nee to keep in mind that the cookie must be unique as well. Here is an idea of how you could do the following.

// Issue is same session object is being used so get current session
HttpSession before_login = request.getSession();
//Invalidate that session
before_login.invalidate();
//Generate a new session, new JSESSIONID
HttpSession after_login = request .getSession(true);

The above code is used to change SESSIONID cookie before and after login.

3. User Enumeration via Web Service

The problem of enumeration is pretty serious deal as it lets the attacker figure out the usernames / email ids of users that are present on the application and the following detail can be later on used for brute force attacks.

We carry this attack on Burp-Suite using the Widsler extension and utilising the “getuser” functionality of it. So, we try to collect the response from the system when we enter the valid username and then we enter a random string which isn’t a username and check for the response then. We can see the respective response in the images below.

User does not exist

The image above is a request and response that we received when the user with the certain username does not exist. We sent the request query in the repeater to check the response.

User does exist

The image above is a request and response that we received for the condition where the user did exist. We sent the request query in the repeater to check the response and got a different response back this time. This gave us an idea that we can enumerate users based on the response that we receive back.

So, we pass the request in the intruder tab and then carry out a brute force to check for various users those who utilise the application.

Enumerated Usernames

The major problem here is that developers are actually putting too much details in the response query. As in this attack we can clearly see that because of too much information in the response we could figure out that which of the users with corresponding usernames existed and which of them did not. We need to make some standardised message so that the attacker could not just figure out using some simple enumeration technique.

4. Brute Force attack

This is the next stage attack that is carried out once the attacker has enumerated the users and their usernames via the previous method.

The image beside displays the login page where we have already enumerated the users and need to carry out the brute force attack to know the login credentials of those users.

So, when we attempt to login we intercept the traffic in Burp-Suite and capture the request packet and send it over to the intruder.

Request Query

Now, that we have the usernames already enumerated we carry out the hit and try, brute force attack. We obtain a group of common password from the internet and run our attack to figure out the corresponding passwords.

Brute Force attack via Burp-Suite

Brute Force kind of attack must never be allowed under any circumstance. Account lockout functionality should always be present as it saves the application from being brute-forced and spewing out user credentials. Brute force can also be countered by allowing users not to use dictionary words, use passwords of certain lengths of better ask them to use passphrase. The passwords of the users should always be hashed before being stored, the usage of salt with the hash is incredibly important as well.

Moral

We can take the following precautions and keep these mental notes while trying to battle the Broken Auth & Session Management issues.

Broken Authentication

  • Unrevealing error / success messages
  • Never hard code credentials
  • Password policy enforcement ( ageing, strength, hashes with salts )

Session Management

  • Unpredictability in tokens ( i.e. secure randomness )
  • Expiration policies, login/logout resets
  • Use of strong Encryption
  • Complex Cookie Security

Read my other article regarding “ Secure Coding Practises ”

~ Injection Attacks — https://bit.ly/2OqkRv5
~ Cross Site Scripting — https://bit.ly/2TcpU2Y

If you enjoyed it please do clap and happy hacking!

Twitter : twitter.com/aditya12anand

LinkedIn : linkedin.com/in/aditya12anand/

E-mail : aditya12anand@protonmail.com