Broken Authentication and IDOR – A Big but Solvable Problem
By Team, Inspectiv
One of the biggest problems we have in information security today is Broken Authentication and IDOR. The 2021 Verizon Data Breach Investigation Report (DBIR) shows that bad actors use stolen credentials a large percentage of the time. As a result, we have a massive problem with broken access control in our networks. In fact, it is number two on the OWASP top 10, just behind Injection including SQL injection.
Broken Authentication through Credential Stuffing
OWASP provides us with a few attack scenarios, and their first is credential stuffing. Credential stuffing is when a bad actor uses the plethora of known identity and password combinations from past breaches. The bad actors use the stolen credentials find working combinations for a server today. If a user never changed their password after a breach or, more likely, reused that combination on another server, then the bad actor will eventually find a way into the servers. This is one of the most frequently used methods by bad actors to take over user accounts.
A Solution – MFA
Preventing credential stuffing attacks is entirely possible. The recommend defense to this attack and several others by NIST SP 800-63 is Multi-Factor Authentication (MFA). If an identity/password combination could work, but there is also a need to have the phone or device that will generate a one-time password, then the bad actor’s access is blocked.
An Alternative Solution – Secondary passwords
There are other choices if MFA cannot defend a server, its data, and the corporation. These choices include options that have the user remember a secondary piece of information. This could be a second password, a PIN, or Security Questions. This is not MFA as a password and a pin are both items that a user must know.
Another Alternative – CAPTCHA
Adding CAPTCHA to a login system can prevent the automated attempts to breach a system. If the attacker is using a tool to automatically try all of the leaked identification/password combinations it won’t work. CAPTCHA requires a human to interact with the system. Automated tools have not been able to replicate this, yet. Both CAPTCHA and a secondary password and PIN are not ideal, but they can help solve this problem.
Broken Authentication and IDOR
There is another problem within Broken Authentication that security professionals and developers must also address: Insecure Direct Object Reference (IDOR.) Broken authentication and IDOR occur when a developer exposes the reference value for an internal object. So, if the user can request direct access to an object with the added complication of not being validated and authenticated, then a bad actor can do the same and steal our data. So, for example, if a user can request a document by record identifier without having to prove their identity, then the world’s bad actors will be able to do it as well.
Disguise the Reference
If the software/server used a salted hash of that reference instead, it would be complicated for the bad actor to exploit it. The bad actor may guess the hash algorithm and the reference value, but the salt would be complicated also to guess, preventing their access to our data. IDOR is something that security researchers can find, and it is essential to do before a compromise occurs.
Inspecitv works with 1700+ vetted security researchers to continuously scan and identify security vulnerabilities. Taking the perspective of an external attacker, Inspectiv identifies assets, continuously monitors for vulnerabilities, validates, deduplicates, and then provides this critical information in a streamlined and actionable format.
Contact us to discover how our crowdsourced security platform can aid in protecting your company from the ever-present threats and vulnerabilities to your online applications.