How Are Credentials Used In Applications?
Introduction
Use of credentials is one of the most common aspects of applications. Be it a web application or a mobile client application, applications often need to interact with services that require authentication. To be able to interact with services successfully, applications must have a way to store and supply credentials. This article discusses how credentials are traditionally used in applications with some examples.
Learn Secure Coding
What is authentication
Authentication is the security process that allows users/applications to verify their identities in order to gain access to a particular account or service. This typically happens when users login to applications, however this can also happen for applications to connect to other services behind the scenes. For example, an application requires authentication to a database to be able to verify the user supplied credentials.
The following picture shows the flow of a typical user authentication process in web applications.
- A user opens a login page on a website and enters credentials. The credentials in a simplistic form can be username and password. However, in highly security sensitive applications, additional steps such as multi factor authentication may be required.
- Once the application’s server side code receives the user supplied credentials, it needs to validate them by providing these credentials to a database. This may require an additional step of application presenting it’s authentication credentials to the database to be able to communicate with it.
- Once the application successfully authenticates, the user supplied credentials are verified and if they match with the already stored credentials, the user is authenticated and access is provided to the account.
How are authentication credentials stored in web applications?
Now, let us discuss how these two different types of credentials are stored. Let us begin by understanding how the user credentials may be stored in the database. When user accounts are created in websites, typically the registration information is stored in a database. Depending on the security maturity of the developer and the organization, the credentials can be stored in various forms. Some of the commonly seen patterns are storing clear text passwords, using hashing algorithms such as MD5 or SHA1. These approaches are considered insecure due to the fact that clear text credentials can be directly used when exposed and passwords hashed using weak algorithms can be cracked by the users with powerful password cracking setup. The following excerpt shows how credentials may look like in a database.
The preceding figure shows how user credentials may be stored in a database. This example hashes shown are created using MD5 hashing algorithm.
On the other hand, application credentials are typically hardcoded in config files or in the source code. These accounts are commonly known as service accounts as they are used by the applications instead of humans. The following excerpt shows a sample config file from Xtreme Vulnerable Web Application (XVWA).
$XVWA_WEBROOT = "";
$host = "localhost";
$dbname = 'xvwa';
$user = "root";
$pass = "toor";
$conn = new mysqli($host,$user,$pass,$dbname);
$conn1 = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn1->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>
As we can notice, the database credentials are hardcoded in the config file and the credentials are in clear text.
The following excerpt shows another example, where a Java based application uses database credentials within the source code in clear text.
boolean flag = false;
try {
//Load MySQL Driver
Class.forName("com.mysql.jdbc.Driver");
connection = DriverManager.getConnection
("jdbc:mysql://localhost:3306/users?serverTimezone=UTC","root","toor");
flag = true;
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return flag;
}
While this is insecure, it is unfortunately a common practice followed in many applications. When someone gains access to the source code the complete database can be compromised due to this approach. We will discuss more credential related problems and best practices in the next few articles.
Learn Secure Coding
Conclusion
Use of credentials is very common in applications. Many applications use credentials by following insecure practices and it is important to understand the risks these approaches may bring. In the next few articles, we will discuss various other insecure practices as well as attacks followed by security best practices.
Sources
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- How Are Credentials Used In Applications?
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding