Corgea LogoCorgea Security Hub

CWE-287: Improper Authentication

Learn about CWE-287 (Improper Authentication), its security impact, exploitation methods, and prevention guidelines.

What is Improper Authentication?

• Overview: Improper Authentication occurs when a system does not adequately verify or prove the identity of a user or entity attempting to access it. This means that anyone can potentially claim to be a legitimate user without sufficient verification.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by using techniques such as credential stuffing, brute force attacks, or leveraging default credentials to gain unauthorized access.
  • Common attack patterns include submitting fraudulent authentication requests that the system accepts without proper validation.

• Security Impact:

  • Direct consequences include unauthorized access to sensitive data or systems, leading to data breaches.
  • Potential cascading effects may involve privilege escalation, data manipulation, or further infiltration into a network.
  • Business impact can include loss of customer trust, legal liabilities, and financial losses due to data breaches or service disruptions.

• Prevention Guidelines:

  • Specific code-level fixes include implementing strong authentication mechanisms such as multi-factor authentication (MFA) and regularly updating authentication libraries.
  • Security best practices involve enforcing complex password policies, logging and monitoring authentication attempts, and limiting failed login attempts.
  • Recommended tools and frameworks include using off-the-shelf, well-maintained authentication frameworks and libraries, as well as employing security testing tools to identify authentication weaknesses.
Corgea can automatically detect and fix Improper Authentication in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: ICS/OT

Vulnerable Code Example

JavaScript Example

// A basic login function that checks the username and password
function login(username, password) {
    const user = database.getUser(username);
    // Vulnerable: If the user is not found, user is undefined, and this line will throw an error
    if (user.password === password) {
        return "Login successful!";
    }
    return "Login failed!";
}

Explanation:

  • Vulnerability: This code assumes that database.getUser(username) will always return a valid user object. If the username is not found, user will be undefined, and accessing user.password will result in a runtime error. This can be exploited by attackers to cause a denial of service.
  • Security Issue: It does not properly verify whether the user object exists before attempting to access its properties, leading to improper authentication handling.

How to fix Improper Authentication?

To fix this vulnerability, we need to ensure that we properly handle the case when the user does not exist. This involves:

  1. Verifying whether the user object is undefined before trying to access its properties.
  2. Implementing a secure hash comparison for passwords instead of plain text comparison.
  3. Using a function to safely compare hashes to prevent timing attacks.

Fixed Code Example

// Improved login function with proper checks and secure password handling
function login(username, password) {
    const user = database.getUser(username);
    if (!user) {  // Check if user exists
        return "Login failed!";
    }
    // Secure password comparison using a hash function
    const hashedInputPassword = hashPassword(password);
    if (secureCompare(user.hashedPassword, hashedInputPassword)) {
        return "Login successful!";
    }
    return "Login failed!";
}

// Securely compares two strings to prevent timing attacks
function secureCompare(a, b) {
    if (a.length !== b.length) {
        return false;
    }
    let result = 0;
    for (let i = 0; i < a.length; i++) {
        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
    }
    return result === 0;
}

// Example of a hash function (e.g., using bcrypt)
function hashPassword(password) {
    // Assuming a bcrypt hashing function is used here
    return bcrypt.hashSync(password, bcrypt.genSaltSync(10));
}

Explanation:

  • Existence Check: We added a check to ensure that user is not undefined before proceeding to password verification.
  • Secure Password Handling: Passwords are now securely hashed and compared using bcrypt, and a secureCompare function is used to prevent timing attacks.
  • Security Controls: By using proper existence checks and secure password handling, we ensure that the authentication process is both correct and secure, reducing the risk of improper authentication vulnerabilities.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-287: Improper Authentication and get remediation guidance

Start for free and no credit card needed.