Secure coding

How Are Credentials Used In Applications?

Srinivas
November 17, 2020 by
Srinivas

Introduction

Use of credentials is one of the most common aspects of applications. Be it a web application or a mobile client application, applications often need to interact with services that require authentication. To be able to interact with services successfully, applications must have a way to store and supply credentials. This article discusses how credentials are traditionally used in applications with some examples.

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

What is authentication

Authentication is the security process that allows users/applications to verify their identities in order to gain access to a particular account or service. This typically happens when users login to applications, however this can also happen for applications to connect to other services behind the scenes. For example, an application requires authentication to a database to be able to verify the user supplied credentials. 

The following picture shows the flow of a typical user authentication process in web applications.

  1. A user opens a login page on a website and enters credentials. The credentials in a simplistic form can be username and password. However, in highly security sensitive applications, additional steps such as multi factor authentication may be required.
  2. Once the application’s server side code receives the user supplied credentials, it needs to validate them by providing these credentials to a database. This may require an additional step of application presenting it’s authentication credentials to the database to be able to communicate with it. 
  3. Once the application successfully authenticates, the user supplied credentials are verified and if they match with the already stored credentials, the user is authenticated and access is provided to the account.

How are authentication credentials stored in web applications?

Now, let us discuss how these two different types of credentials are stored. Let us begin by understanding how the user credentials may be stored in the database. When user accounts are created in websites, typically the registration information is stored in a database. Depending on the security maturity of the developer and the organization, the credentials can be stored in various forms. Some of the commonly seen patterns are storing clear text passwords, using hashing algorithms such as MD5 or SHA1. These approaches are considered insecure due to the fact that clear text credentials can be directly used when exposed and passwords hashed using weak algorithms can be cracked by the users with powerful password cracking setup. The following excerpt shows how credentials may look like in a database.

The preceding figure shows how user credentials may be stored in a database. This example hashes shown are created using MD5 hashing algorithm.

On the other hand, application credentials are typically hardcoded in config files or in the source code. These accounts are commonly known as service accounts as they are used by the applications instead of humans. The following excerpt shows a sample config file from Xtreme Vulnerable Web Application (XVWA).

<?php

$XVWA_WEBROOT = "";

$host = "localhost";

$dbname = 'xvwa';

$user = "root";

$pass = "toor";

$conn = new mysqli($host,$user,$pass,$dbname);

$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

?>

 

As we can notice, the database credentials are hardcoded in the config file and the credentials are in clear text. 

The following excerpt shows another example, where a Java based application uses database credentials within the source code in clear text.

public boolean openConnection() {

boolean flag = false;

try {

//Load MySQL Driver

Class.forName("com.mysql.jdbc.Driver");

connection = DriverManager.getConnection

("jdbc:mysql://localhost:3306/users?serverTimezone=UTC","root","toor");

flag = true;

} catch (ClassNotFoundException e) {

// TODO Auto-generated catch block

e.printStackTrace();

} catch (SQLException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

return flag;

}

 

While this is insecure, it is unfortunately a common practice followed in many applications. When someone gains access to the source code the complete database can be compromised due to this approach. We will discuss more credential related problems and best practices in the next few articles. 

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

Conclusion

Use of credentials is very common in applications. Many applications use credentials by following insecure practices and it is important to understand the risks these approaches may bring. In the next few articles, we will discuss various other insecure practices as well as attacks followed by security best practices.

 

Sources

  1. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/02-Testing_for_Default_Credentials
  2. https://owasp.org/www-community/attacks/Credential_stuffing
  3. https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
Srinivas
Srinivas

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com