211 lines
3.2 KiB
Markdown
211 lines
3.2 KiB
Markdown
# Broken Authentication (API2:2023)
|
|
In this vulnerability, due to insufficient security mechanisms for user authentication to access resources, there is a possibility of disruption and access to protected information by an attacker.
|
|
|
|
* Example
|
|
|
|
POST request for user login using authentication information:
|
|
|
|
```html
|
|
POST /api/login
|
|
|
|
Body:
|
|
{
|
|
"username": "exampleuser",
|
|
"password": "secretpassword"
|
|
}
|
|
```
|
|
|
|
### Non-compliant code (.NET)
|
|
```c#
|
|
// Non-compliant code
|
|
[ApiController]
|
|
[Route("api/[controller]")]
|
|
public class UserController : ControllerBase
|
|
{
|
|
[HttpPost]
|
|
public IActionResult Login(string username, string password)
|
|
{
|
|
if (AuthenticateUser(username, password))
|
|
{
|
|
// Generate and return authentication token
|
|
var token = GenerateAuthToken(username);
|
|
return Ok(token);
|
|
}
|
|
else
|
|
{
|
|
return Unauthorized();
|
|
}
|
|
}
|
|
[HttpGet]
|
|
public IActionResult GetUserData(int userId)
|
|
{
|
|
// Retrieve user data from the database
|
|
var userData = Database.GetUserById(userId);
|
|
|
|
// Return user data
|
|
return Ok(userData);
|
|
}
|
|
|
|
// Other methods...
|
|
}
|
|
```
|
|
|
|
|
|
### Compliant code (.NET)
|
|
```c#
|
|
// Compliant code
|
|
[ApiController]
|
|
[Route("api/[controller]")]
|
|
public class UserController : ControllerBase
|
|
{
|
|
private readonly IUserService _userService;
|
|
private readonly IAuthenticationService _authenticationService;
|
|
|
|
public UserController(IUserService userService,
|
|
IAuthenticationService authenticationService)
|
|
{
|
|
_userService = userService;
|
|
_authenticationService = authenticationService;
|
|
}
|
|
|
|
[HttpPost]
|
|
public IActionResult Login(LoginModel loginModel)
|
|
{
|
|
if (_authenticationService.AuthenticateUser(loginModel.Username,loginModel.Password))
|
|
|
|
{
|
|
// Generate and return authentication token
|
|
var token = _authenticationService.GenerateAuthToken(loginModel.Username);
|
|
return Ok(token);
|
|
}
|
|
else
|
|
{
|
|
return Unauthorized();
|
|
}
|
|
}
|
|
|
|
[HttpGet]
|
|
[Authorize]
|
|
public IActionResult GetUserData(int userId)
|
|
{
|
|
// Retrieve the authenticated user's identity
|
|
var identity = HttpContext.User.Identity as ClaimsIdentity;
|
|
if (identity != null)
|
|
{
|
|
// Get the user ID from the authentication token
|
|
var userIdFromToken = identity.FindFirst("UserId")?.Value;
|
|
|
|
if (!string.IsNullOrEmpty(userIdFromToken) && userIdFromToken == userId.ToString())
|
|
|
|
{
|
|
// Retrieve user data from the database
|
|
var userData = _userService.GetUserData(userId);
|
|
return Ok(userData);
|
|
}
|
|
}
|
|
return Unauthorized();
|
|
}
|
|
|
|
// Other methods...
|
|
}
|
|
```
|
|
|
|
## General prevention suggestions
|
|
* Use strong and standard authentication mechanisms such as JSON Web Tokens (JWT) or OAuth.
|
|
* Use strong encryption methods to store and transmit sensitive information, such as connection encryption (SSL/TLS).
|
|
* Validate authentication information and verify that each authentication request is from a valid user.
|
|
* Carefully check that authentication information (such as password) is secure and encrypted when transferring or storing data on the server.
|
|
* Using the limit of the number of failed attempts to log in and temporarily close the user account after a certain number of failed attempts.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|