Web Application Security Assessment: Broken Authentication and Access Control

Access control policies ensure that users cannot act outside of their intended permissions. See how Web Application Security is assessed.

API: GET Web Application Security Evidence: Broken Authentication and Access Control [/v1/companies/company_guid/findings?risk_vector=web_appsec]

Table of Contents

• CMS Administration Portal Exposed
• Cross-Site Request Forgery (CSRF) Mitigations Present
• Authentication on Insecure Channel

CMS Administration Portal Exposed

Content Management System (CMS) administration portals are frequently exposed to the Internet and are prime targets for brute force attacks. Since these interfaces are typically present at well-known URLs, it is trivial to discover such interfaces for brute force attacks.

Finding Message: Exposed content management system (CMS) admin interface

Frameworks Referenced

Grading & Conditions

We scan each website looking for known CMS administration portals and issue a WARN finding for each one exposed to the Internet.

Minimum weight: 0

Maximum weight: 10

Possible Grades:

Weight = 0

\

Weight = 10

Condition = A CMS administration portal is exposed to the Internet.

Mitigation

Website owners should avoid exposing administrative interfaces to the Internet, instead only making them accessible via a VPN, internal network, or behind a firewall.

Cross-Site Request Forgery (CSRF) Mitigations Present

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a web application against which they are currently authenticated. CSRF attacks exploit the trust a web application has in an authenticated user’s browser session.

Finding Message: A CSRF token is either missing, not included as a hidden form field, or lacks sufficient entropy (less than 128 bits)

Frameworks Referenced

Grading & Conditions

We issue an informational finding (NEUTRAL) whenever we fail to identify a CSRF mechanism in use without the adequate configuration. Since there is no standard method to define the name for these tokens, we will only consider those used by known CSRF frameworks.

Weight = Not Applicable.

Condition = Missing CSRF mechanism with adequate configuration. Findings of this type are informational only.

Mitigation

Implement CSRF protection for all state-changing requests (e.g., POST, PUT, DELETE). Tokens should:

• Be unique per session or request
• Be transmitted as hidden form fields (not in URLs)
• Include at least 128 bits of entropy to ensure unpredictability

Authentication on Insecure Channel

This assessment looks for situations where a web application is requesting authentication from a user on an insecure channel.

The following situations are considered:

• Web application is requesting credentials via the www-Authenticate header over an insecure non-HTTPS connection
• An authentication HTML form is being presented over an insecure non-HTTPS connection
• Password forms are requesting credentials on a site loaded with TLS Errors

Finding Message: Authentication over HTTP

Frameworks Referenced

Grading & Conditions

Minimum weight: 0

Maximum weight: 1000

Possible Grades:

Weight = 0

Weight = 10

Condition = A password form is requesting credentials on a site loaded with the "Obsolete connections settings" TLS error.

Weight = 1000

Condition =

• We identified a request for credentials via the www-Authenticate header over non-HTTPS (high severity).
• A password form is requesting credentials over HTTP.
• A password form is requesting credentials on a site loaded with the “This site is missing a valid, trusted certificate” TLS error.

Mitigation

All authentication mechanisms should always be served through a secure channel.