AppSec Knowledge Base

CREDENTIALS MANAGEMENT FLAWS, TUTORIAL AND CHEAT SHEET

What Is a Credentials Management Attack?

A credentials management attack attempts to breach username/password pairs and take control of user accounts. Once inside a system, an attacker can alter, steal, or delete data; initiate transactions; install additional malware; and gain broader and deeper access to systems and files. There are four primary way attackers breach credentials: 

  1. Through unprotected storage of credentials, which results when a password is stored in plaintext.
  2. Through the use of a hard-coded password, which, as the name implies, uses a hard-coded password for inbound authentication or for outbound communication with external components.
  3. Through insufficiently protected credentials, which is a weakness that occurs when an application transmits or stores authentication credentials and relies on insecure protection methods that may result in unauthorized interception and retrieval.
  4. Through the use of a hard-coded credential that stores passwords or cryptographic keys used for inbound authentication or outbound communication, or for encryption of internal data.

Rates of Credentials Management Flaws in Software

Ask A Qualified AppSec Expert

Struggling with fixing a code weakness? Knowledgeable consultants at Veracode can help you out.

Ask in the Community

How Credentials Management Attacks Work

Credential management vulnerabilities result when developers fail to build in essential protections. This may include a failure to encrypt password data or store credentials in an easily accessible file, or it may involve the use hard-coded passwords that allow an attacker to bypass authentication requirements. In order to pull off a credential attack, intruders might intercept insecure data or use brute force methods. In some cases, such as with hard-coded passwords, attacks can be difficult for a system administrator to detect and fixing a flaw can prove challenging. In fact, in some cases, it may be necessary to disable a product or site entirely. A Veracode analysis of static scan data indicated that credential vulnerabilities exist in 42 percent of applications.

Attack and Defense Examples

Example 1

This is an example of unprotected storage of credentials:

Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");
DriverManager.getConnection(url, usr, password);

This code reads a password from a properties file and uses the password to connect to a database. Although this code will run correctly, someone with access to the config.properties file can read the value of password. This might include an employee who uses this information to breach the system.

Example 2

This is an example of the use of a hard-coded password vulnerability in Java:

int VerifyAdmin(String password) {
if (!password.equals("Mew!")) {
return(0)
}
//Diagnostic Mode
return(1);
}

The problem with this code is that every instance of this program can be placed into diagnostic mode using the same password. Making matters worse, a binary-only distribution of the program makes it extremely difficult to change the password or disable its "functionality."

Example 3

This is an example in PHP of insufficiently protected credentials:

$user = $_GET['user'];
$pass = $_GET['pass'];
$checkpass = $_GET['checkpass'];
if ($pass == $checkpass) {
SetUserPassword($user, $pass);
}

The above code alters a user’s password. Once the code confirms that the user entered the same password twice, it provides access to the account. It doesn’t check the identity of the user to ensure that it’s the same person. This allows an attacker to take over the account.

Example 4

This is an example of a hard-coded credentials attack:

int VerifyAdmin(String password) {
if (password.Equals("68af404b513073584c4b6f22b6c63e6b")) {
Console.WriteLine("Entering Diagnostic Mode...");
return(1);
}
Console.WriteLine("Incorrect Password!");
return(0);
}

This example demonstrates how a cryptographic key is hard-coded into a string value that’s compared to the password. An attacker who views this code can compromise the system.

Preventing Damage and Remediating Code Are Critical

It’s critical to ensure that developers avoid risky coding practices, including storing passwords in easy to access locations, using plaintext in software, and using hard-coded credentials. The use of encryption is critical, particularly for outbound authentication. It’s also important to limit permissions to only those who absolutely require access to a file, limit key functions to the system console, and design strong protections for files and encryption keys.

For inbound authentication using passwords, it’s smart to use strong one-way hashes to passwords and store the hashes in a strongly protected configuration file or database. It’s also advisable to use randomly assigned salts for every hash that’s generated. This forces an attacker to use more computing resources for a brute force attack, thereby reducing risk. Finally, for front-end to back-end connections, consider the use of randomly and automatically generated passwords that a system administrator must enter within a given time window; limiting functions that a user can access with a password; and ensuring that messages sent are tagged and checksummed with time-sensitive values to thwart replay style attacks.

Veracode Can Aid in the Defense of a Credential Management Attack

Veracode Web Application Scanning can safely, accurately, and quickly discover web application flaws, including credential management, in running web applications, in either production or pre-production environments.

Veracode Static Analysis can accurately identify credential management vulnerabilities and other flaws in your application and its third-party components and tell your developers exactly where and how to repair them, all without ever looking at the source code.

Our cloud-based application security platform helps you manage your application security program, track progress, and educate your developers on avoiding and repairing credential management and other security flaws through integrated eLearning materials.

 

 

 

contact menu