Chapter 6  ■ Attacking Authentication

which account their session is currently using. An attacker may be able

to modify this value and gain access to other user accounts without

authentication, as shown in Figure 6-6.

Figure 6-6: A vulnerable user impersonation function

■■

If an application allows administrative users to be impersonated, then

any weakness in the impersonation logic may result in a vertical privi-

lege escalation vulnerability — rather than simply gaining access to

other ordinary users’ data, an attacker may gain full control of the

application.

■■

Some impersonation functionality is implemented as a simple “back-

door” password that can be submitted to the standard login page along

with any username in order to authenticate as that user. This design is

highly insecure for many reasons, but the biggest opportunity for

attackers is that they are likely to discover this password when per-

forming standard attacks such as brute forcing of the login. If the back-

door password is matched before the user’s actual password, then the

attacker is likely to discover the function of the backdoor password and

so gain access to every user’s account. Similarly, a brute-force attack

might result in two different “hits,” thereby revealing the backdoor

password as shown in Figure 6-7.

Download 5,76 Mb.

Do'stlaringiz bilan baham: