Broken authentication and authorization can occur when authentication and authorization functions are not implemented correctly, allowing attackers to compromise credentials and exploit flaws. This can lead to valuable business information being leaked, customer dissatisfaction, and financial losses. Issues can be addressed through measures like strong password policies, access control, validating users, and server-side validation. Known security incidents provide examples like personal information of millions being leaked through an API or robberies occurring due to unauthorized access to cash transit details.

1. Broken Authentication and
Authorization
RM Manahari Pemarathna
Master in Information System Management, USC

2. OUTLINE
Authentication
Authorization
Why this happen?
Impact to the Organization
How can we fix this issue
Known Security Incidents

4. Authentication
Authentication is the process of determining whether someone or
something is, in fact, who or what it declares itself to be
Authentication technology provides access control for systems by
checking to see if a user's credentials match the credentials in a
database of authorized users or in a data authentication server

5. 3 Categories
What you know?
What you have?
What you are?

6. Main types of Authentication
• Password based authentication
• Certificate based authentication
• E-token based authentication
• Biometric based authentication
Types of
authentication

8. Password based Authentication
Most common form
May be a string of alphabets, numbers and special characters
To be known by the ENTITY or the THING or a PERSON

10. Certificate Based Authentication
• A Digital Document
• Includes Distinguished Name (DN) and associated public key
• Sign by trusted party called Certificate Authority
• Certificate based authentication is stronger as compared to password
based authentication
• HAVE something rather than KNOW

12. E-token Based Authentication
Small device which generates a new random value every time it is
used
Random value become a basis for authentication
Can be implemented in USB key fob or a smart card
Data physically protected on the device
Store passwords, digital signatures and certificates and passwords

14. Biometric based Authentication
Biometrics means identification of humans by their characteristics
such as fingerprint, voice, iris pattern of the eye, vein pattern, etc.
Form of identification and access control

16. Authorization
Authorization is a security mechanism used to determine user/client
privileges or access levels related to system resources, including
computer programs, files, services, data and application features
Authorization is normally preceded by authentication for user
identity verification

17. Example
For example, if a user tries to access a file that resides on a file server, it
will be the responsibility of the file service to determine whether the
user will be allowed this type of access

18. Why this happen?
When authentication functions related to the application are not implemented correctly
by developers, it allows hackers to compromise passwords or session ID's or to exploit
other implementation flaws using other users credentials
User authentication credentials are not protected when stored.
Predictable login credentials
Passwords, session IDs, and other credentials are sent over unencrypted connections

19. Impact to the Organization
• Valuable Business information can be leaked
• Customer dissatisfy with the organization
• Image of the company will loose
• Disclosure, improper modification, or unavailability of information may incur expenses
• Missed profits for the organization

20. Can we fix this issue ?
• Mapping Authentication Token and user ID
• Proper Session Invalidation - Session should always invalidate at login.
• Attackers cannot use session to access accounts.
• Prevent Guessable User Identifier in cookie - Most of the times you generate the user ID
sequentially so it is very easy to guess, so correct way is to generate a random identifier, associate it with the user and only
store the Random ID in the cookie.
• Strong password reset functionality - ex. Verify if the sender is the real user by asking verification
questions.
• Application data should not contain sensitive information
• Response body should not contain debugging error message -Proper
• exceptions handling instead of returning an error code.
Recommendations to prevent Authentication Bypass

21. Can we fix this issue ?
 Mapping user role with session ID
 Prevent from GUI-Based/ Client side privilege implementation
 Proper access control mechanism - Security technique that regulates who or what can view or use
resources in a computing environment.
- Mandatory Access Control (MAC) - Rule-based access control
- Discretionary access control (DAC) - Attribute-based access control (ABAC)
- Role-Based Assess Control (RBAC)
The goal of access control is to minimize the risk of unauthorized access to physical and logical systems.
 Not using IDOR (Insecure Direct Object Reference) - Variables in the application
such as “id”, “pid”, “uid” are often seen as HTTP parameters. they can be found in headers and cookies.
The attacker can access, edit or delete any of other users’ objects by changing the values.
 Use Server Side validation - Sever side validation is much secure than client side validation
Recommendations to prevent Authorization Bypass

22. Known Security Incidents
THE USPS(UNITED STATES PARCEL SERVICE )API INFORMATION LEAK
INCIDENT - Insufficient authorization Control
The security weaknesses leaked account data for around 60 million users. Any malicious user logged in the
system could exploit the API to collect user data by simply introducing wildcard characters in a search
function of the API.
Essentially, the root cause of the USPS incident is having insufficient authorization controls, which in turn
allow attackers to retrieve (and modify) data beyond their lawful control.

23. Known Security Incidents
• Password was stolen from a payroll executives smart phone on CLEANTECH
• it has been Highly effected on payroll system. There are 4500 Employees in Cleantech.
• Hacker was modified Bank Account nos of Employee’s in database.
• Ultimately large Number of Employees Monthly salaries was rejected and transferred to unknown account nos.
• Incident is disaster for the company.
• Company has organized a password security awareness
Program for staff members.

24. Known Security Incidents
50 Million Robbery on ABS due to unauthorized Access into Mtransit web Based system.
• Hacker attacked abs mail server and acquired 2 cash collecting officer’s user-ids and passwords.
• mTransit system has been accessed and got all cash collection and transit details.
• Route,Vehicleno,Collected amt ,approximately delivery time etc.
• They submitted these valuable information to robbery team
and they was stolen huge amount of cash on kurunagala -Colombo route.

25. Thank You