Not Operational

Weak Login Function on Non-Operational Endpoint

Overview of the Vulnerability

Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows a login function to load on a non-operational endpoint that is not intended for public access. An attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the specified IP to steal administrative credentials and login to the system using admin privileges.

Business Impact

Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to the vulnerable endpoint: {{URL or x.x.x.x}}

3. Man-in-The-Middle (MiTM) communication and route traffic through your computer:

{{screenshot}}

1. Attempt to sign into the website using the login button

2. In the HTTP interception proxy, observe that the requests are unencrypted in transit

Proof of Concept (PoC)

The following screenshots show the full exploit:

{{screenshot}}

Recommendation(s)

Weak login function can be remediated by implementing a handful of best practices relating to authentication and session management to ensure secure implementation. These include:

• Enabling HTTPS for the login page and all subsequent authenticated pages

• Disable the option of forcing a HTTP connection by browsers

• Implement the HTTP Strict Transport Security (HSTS) header

• Keeping all systems, software and operating systems up-to-date with a repeatable patch management process

• Validate all user input server-side

• Ensure that the authentication mechanisms and logic are robust and that each request for a resource passes through an authorization process

The verification logic of the application, as well as all of the above, should be thoroughly tested during the development and QA phases of an application build.

For further information, refer to Open Web Application Security Project(OWASP) guides located at:

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#transmit-passwords-only-over-tls-or-other-strong-transport

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

• https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/