CWE-294: Authentication Bypass by Capture-replay
Learn about CWE-294 (Authentication Bypass by Capture-replay), its security impact, exploitation methods, and prevention guidelines.
What is Authentication Bypass by Capture-replay?
• Overview: This vulnerability occurs when an attacker intercepts and records legitimate communication between a client and server, then replays that recorded communication to gain unauthorized access or perform actions on behalf of the original user.
• Exploitation Methods:
- Attackers can exploit this vulnerability by sniffing network traffic to capture valid authentication tokens or commands.
- Common attack patterns include replaying captured login credentials or session tokens to authenticate as a legitimate user.
• Security Impact:
- Direct consequences include unauthorized access to sensitive information or systems.
- Potential cascading effects involve further exploitation of compromised systems, leading to data breaches or unauthorized transactions.
- Business impact can be severe, including loss of customer trust, legal liabilities, and financial damages.
• Prevention Guidelines:
- Use cryptographic techniques like nonces or timestamps to ensure message uniqueness and prevent replay attacks.
- Implement TLS/SSL to encrypt data in transit, making it difficult for attackers to capture usable data.
- Consider using secure authentication mechanisms like OAuth or multi-factor authentication to reduce reliance on static credentials.
- Recommended tools and frameworks include using libraries that support secure communication protocols and frameworks that implement built-in protection against replay attacks.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
Python Example
import hashlib
import time
def login_request(username, password):
# Simulate sending a hash of the user's credentials over the network
# Vulnerability: The hash can be captured and replayed by an attacker
credentials_hash = hashlib.sha256((username + password).encode()).hexdigest()
send_to_server(credentials_hash)
def send_to_server(credentials_hash):
# Assume this function sends the credentials hash to the server
pass
Explanation of Vulnerability:
- Lines {4-7}: This code hashes the username and password and sends it over the network. If an attacker captures this hash, they can replay it to authenticate themselves as the user without needing to know the actual password.
How to fix Authentication Bypass by Capture-replay?
Fixed Code Example
Python Example
import hashlib
import os
def login_request(username, password, nonce):
# Fix: Include a nonce in the hash to prevent replay attacks
credentials_hash = hashlib.sha256((username + password + nonce).encode()).hexdigest()
send_to_server(credentials_hash, nonce)
def send_to_server(credentials_hash, nonce):
# The server verifies the nonce has not been used before and matches the given hash
if verify_nonce(nonce):
# Process the request
pass
else:
# Reject the request
pass
def get_nonce():
# Generate a secure random nonce
return os.urandom(16).hex()
# Example usage
nonce = get_nonce()
login_request("user", "pass", nonce)
Explanation of Fix:
- Lines {4-7}: The code now includes a
noncein the hash computation. Each authentication request includes a unique nonce, preventing replay attacks. - Line {10}: The server verifies that the nonce is valid and has not been reused. This effectively mitigates the replay attack vulnerability.
- Line {14}:
get_nonce()generates a secure random nonce, ensuring that each login request is unique.
This improved example clearly demonstrates how to prevent replay attacks by incorporating a nonce in the authentication process and ensuring that each request is unique and verified by the server.