The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

On the face of it, authentication is conceptually among the simplest of all the

security mechanisms employed within web applications. In the typical case, a

user supplies her username and password, and the application must verify

that these items are correct. If so, it lets the user in. If not, it does not.

Authentication also lies at the heart of an application’s protection against

malicious attack. It is the front line of defense against unauthorized access, and

if an attacker can defeat those defenses, they will often gain full control of the

application’s functionality, and unrestricted access to the data held within it.

Without robust authentication to rely upon, none of the other core security

mechanisms (such as session management and access control) can be effective.

In fact, despite its apparent simplicity, devising a secure authentication

function is an extremely subtle business, and in real-world web applications

authentication is very often the weakest link, which enables an attacker to gain

unauthorized access. The authors have lost count of the number of applica-

tions that we have fundamentally compromised as a result of various defects

in authentication logic.

This chapter will look in detail at the wide variety of design and implemen-

tation flaws that commonly afflict web applications. These typically arise

because the application designers and developers fail to ask a simple question:

What could an attacker achieve if he were to target our authentication mecha-

nism? In the majority of cases, as soon as this question is asked in earnest of a