Autentikim i Thyer

Mesatar 14 min Siguria e Aplikacioneve Web

Hyrje

Broken authentication refers to flaws in how an application verifies user identity — anything from weak passwords to session mishandling.

Teoria

Common failures include allowing weak passwords (12345, password), no rate limiting on the login endpoint (enabling credential stuffing), predictable session tokens, sessions that never expire, missing CSRF protection, and MFA that can be bypassed via a forgotten-password flow or legacy endpoint. Credential stuffing alone — reusing leaked password lists against other sites — is responsible for a large share of account takeovers every year. Best-practice authentication in 2024 looks like: long passwords with no arbitrary complexity rules (NIST 800-63B), mandatory checks against the Have I Been Pwned breach corpus, rate limiting and account lockout on repeated failures, session tokens stored in HttpOnly Secure SameSite cookies, and either TOTP or WebAuthn as a second factor. WebAuthn (passkeys) is especially strong because the private key never leaves the user's device and is bound to the origin, defeating phishing. Implementers should almost never write authentication code from scratch. Use battle-tested libraries like Spring Security, Django auth, Laravel Breeze or Auth0/Keycloak as identity providers. Every custom authentication system is a liability until proven otherwise.

Mjetet

Mjete testimi:

  • Burp Intruder — për testim fjalëkalimesh dhe enumeration.
  • Hydra, Medusa — brute-forcers CLI.
  • JWT.io, jwt_tool — analizë JWT.

Praktika

Gabim i zakonshëm — JWT pa verifikim:

// Shembull i gabuar
$payload = json_decode(base64_decode(explode('.', $jwt)[1]), true);
$userId = $payload['sub'];

I drejtë — me bibliotekë të besueshme:

use Firebase\JWT\JWT;
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($SECRET, 'HS256'));
$userId = $decoded->sub;

Politika e fjalëkalimeve me bcrypt:

$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
if (password_verify($input, $hash)) { /* ok */ }

Ushtrime

  1. Identifiko një aplikacion që nuk invalidon session-in pas logout — raporto si finding.
  2. Konfiguro rate limiting për login (p.sh. me fail2ban ose middleware).
  3. Zëvendëso MD5/SHA-1 për passwords me bcrypt ose Argon2.

Burime

  • OWASP A07:2021 — Identification and Authentication Failures.
  • NIST SP 800-63B — Digital Identity Guidelines.
  • PortSwigger — Authentication Labs.

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re