Implementation Flaws in Authentication

Even a well-designed authentication mechanism may be highly insecure due

to mistakes made in its implementation. These mistakes may lead to informa-

tion leakage, complete login bypassing, or a weakening of the overall security

of the mechanism as designed. Implementation flaws tend to be more subtle

and harder to detect than design defects such as poor quality passwords and

brute forcibility. For this reason, they are often a fruitful target for attacks

against the most security-critical applications, where numerous threat models

and penetration tests are likely to have claimed any low-hanging fruit. The

authors have identified each of the implementation flaws described here

within the web applications deployed by large banks.