Fail open Authentication is when an error occurs and instead of defaulting a value to "false" it defaults to "true". An example of this would be during a login, if an error occurred and the system automatically logged the user in opposed to defaulting to not letting the user is, then authentication would not have been very effective.
One way to prevent Fail open Authentication from occurring could be to always assume access is false, opposed to true, then try to prove it true (guilty until proven innocent). Although this isn't necessarily something that may occur as a possibility to a developer, it could be the difference between a secure application and an insecure application.
One potential way to induce an error could be to use software like WebScarab to intercept a server request and delete a username or password variable (or other variable associated with a particular process). This error being thrown could easily lead to a failure in the application which could default to granting access to the application when access should not be granted.
The example above is not exclusively applicable to just logins but other variables which require a specific input to validate a user has permissions to access any material or perform any tasks. This could also apply to server side text input validation, or any other form server side validation of this nature.
Abusing error handling, although not necessarily as prominent as other techniques of attacking a web application, can easily become just as large a threat as SQL Injection or Session Hijacking.
No comments:
Post a Comment