The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

There is a wide range of different technologies available to web application

developers when implementing authentication mechanisms:

■■

HTML forms-based authentication.

Multi-factor mechanisms, such as those combining passwords and

physical tokens.

■■

Client SSL certificates and/or smartcards.

HTTP basic and digest authentication.

■■

Windows-integrated authentication using NTLM or Kerberos.

Authentication services.

By far the most common authentication mechanism employed by web

applications uses HTML forms to capture a username and password and sub-

mit these to the application. This mechanism accounts for well over 90% of

applications you are likely to encounter on the Internet.

In more security-critical Internet applications, such as online banking, this

basic mechanism is often expanded into multiple stages, requiring the user to

submit additional credentials, such as PIN numbers or selected characters from

a secret word. HTML forms are still typically used to capture relevant data.

In the most security-critical applications, such as private banking for high-

worth individuals, it is common to encounter multi-factor mechanisms using

physical tokens. These tokens typically produce a stream of one-time pass-

codes, or perform a challenge-response function based on input specified by

the application. As the cost of this technology falls over time, it is likely that

more applications will employ this kind of mechanism. However, many of

these solutions do not actually address the threats for which they were

devised — primarily phishing attacks and those employing client-side Trojans.