Session Fixation + Cross-Site Scripting (Bonus points for not setting the HttpOnly flag on Cookies)
Session Fixation is a fairly common, lower severity vulnerability. Generally speaking, session fixation occurs when the pre-authentication session cookie is the same as the post-authentication session cookie. If an attacker can grab ahold of the pre-authentication session cookie, then once the user authenticates, the attacker will have access to the user’s session.
Username Harvesting + Overly Restrictive Lockout Mechanisms
Username harvesting/enumeration is a very common low-risk vulnerability that allows attackers to determine valid usernames for an application. An attacker with enough time on his hands can simply iterate through a large payload of possible user IDs and generate a pretty comprehensive list of valid IDs.
Overly restrictive lockout mechanisms can cause users to be locked out after a few incorrect login attempts. Putting both of these vulnerabilities together, an attacker could potentially enumerate a full list of users and run an automated script that continually sends login requests to the server. This would effectively lock every user out of the application, leading to a user-level denial of service attack that would severely cripple the application. Of course, in this attack, the attacker doesn’t gain any privileged user information, but it could cost the company that owns the application millions of dollars. Something to think about next time you rub a hacker the wrong way :P.
SQL Injection + Client Side Hashing
Okay, let’s be real for a moment: if you’re pen-testing an application and find SQL injection, then you’ve pretty much won. You have gained bragging rights amongst your peers and deserve to be garlanded in a festive parade by your clients, who would have otherwise been featured in a cable news special regarding their “CRITICAL CYBER SECURITY LEAK”. SQL injection is a security vulnerability in which an attacker is able to escape out of a SQL database query string and inject malicious code, effectively gaining direct database access. In the application security world, SQL injection is considered to be one of the most serious attacks, yet ironically enough, OWASP consistently ranks it as one of the most common web application vulnerabilities.
One of the ways to protect passwords from database breaches is password hashing, in which the application appends a few random characters to the user-inputted password (to maximize entropy) and then sends the new string through a hashing algorithm. This ensures that even if a password store is compromised, at least the passwords are not discernible to the hacker… well, unless they are being hashed on the client side. If the password is being hashed on the client side, then that means that a hashed password is being sent to the server and an attacker can use the hashed password datastore to effectively impersonate every user on the application. Or depending on his/her mood, the attacker could just destroy the whole database table.
The Bottom Line
The tech-world today is accelerating at an incredibly rapid rate. Every day, more and more zero-day vulnerabilities are exposed and new attack vectors are created. The previously held belief that having no critical vulnerabilities equates to a secure environment has become a myth. It has become increasingly important for companies to harden their application against all vulnerabilities, regardless of the severity.
Let us know what your thoughts are by posting a comment below! We would love to hear about different vulnerabilities that you may have encountered which work well together. Particularly insightful responses will be featured in Part II!