The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Fail-open logic is a species of logic flaw (described in detail in Chapter 11) and

one that has particularly serious consequences in the context of authentication

mechanisms.

The following is a fairly contrived example of a login mechanism that fails

open. If the call to 

db.getUser()

throws an exception for some reason (for

example, a null pointer exception arising because the user’s request did not

contain a username or password parameter), then the login will be successful.

Although the resulting session may not be bound to a particular user identity,

and so may not be fully functional, this may still enable an attacker to access

some sensitive data or functionality.

public Response checkLogin(Session session) {

try {

String uname = session.getParameter(“username”);

User user = db.getUser(uname, passwd);

if (user == null) {

// invalid credentials

session.setMessage(“Login failed.”);

return doLogin(session);

}

}

catch (Exception e) {}

session.setMessage(“Login successful.”);

return doMainMenu(session);

}