Golang Broken
Authentication Guide:
Examples and Prevention

stackhawk

StackHawk|March 17, 2022

Appropriate security is essential in the software industry. You can prevent information theft and other cybercrimes.

Security is important in the software industry. With appropriate security, you can prevent information theft and other cybercrimes. One important aspect of security is to verify the identity of all entities so that intruders can’t get access into the application. 

This is exactly what authentication is all about. It ensures users can't access information stored in the application until they can prove that they're who they claim to be. In this article, we'll explain authentication, how to prevent broken authentication, and go over some examples of broken authentication in software, and in particular, in applications built with Golang.

Golang Broken Authentication Guide: Examples and Prevention image

What is Authentication?

Authentication is the process of verifying the identity of a user. When a user tries to access information in an application, they have to prove that they're truly who they claim to be. This is important because, most information stored in an application's database is sensitive, such as users’ personal data. 

Therefore, you must prevent intruders from getting hold of sensitive information. Users get access to general information in the application without needing to verify their identity. However, they must provide a means to verify their identity when they try to access sensitive information. For example, when a user tries to access their personal dashboard, they'll need to provide login details like a username, pin, or password. 

We shouldn't confuse authentication with identification, as they're different things. With authentication we want to verify that a user is who they claim to be. In contrast, identification simply asks who the user claims to be. For instance, when a user provides their username, the system checks if the user entered a valid username.  However, the system then authenticates the user by matching the username and the password the user provides to ascertain the user actually owns the identity.

What could go wrong if authentication is not properly done? Let's discuss broken authentication in applications and in software built with Golang. 

What Is Broken Authentication?

If developers don't implement authentication properly, intruders can get access to the application. This way, they can manipulate the system and pose as different users. 

Broken authentication involves exploiting vulnerabilities in an application in order to pose as another user. Here, the intruder acts as a user access the user’s privileges and attack additional users. 

Broken Authentication in Golang

Golang is a statically typed programming language mainly used for building microservices and the backend of applications. Like in most applications, authentication is done by the backend of Golang applications, and the frontend handles validation.

In the sections that follow, we'll explore examples of broken authentication in Golang, how to prevent them, and the how broken authentication effects Golang applications. 

Examples of Broken Authentication in Golang

First, let’s explore some different types of broken authentication vulnerabilities in Golang applications. 

Session ID Vulnerability

We Can also call this type of vulnerability session fixation. According to OWASP, (Open Web Application Security Project), this vulnerability allows an attacker to get a valid session ID, manipulate a user to authenticate themself with the session ID, and hijack the validated session with the knowledge they’ve gained of the session ID. 

This type of attack is only possible because the system doesn't assign a new session ID when authenticating users. Therefore, the attacker can use the existing session ID. 

An example of session ID attack involves an attacker sending a link with a session ID a user. The user then provides their login details for authentication. Because the attacker already made a connection to the application's server, the server doesn't create a new session ID, allowing the attacker to pose as the user. Attackers can also exploit session ID by implementing client side scripting.

Predictable Login Details

We can also call this type of vulnerability password spraying. This is a type of brute force attack where the intruder quickly tries to guess a user's password. 

If the user makes use of a simple and predictable password, an intruder can guess their password easily. The attacker repeatedly tries to guess a user’s password, then moves to another user if they don't succeed. 

Unprotected Login Details

To avoid attacks or exploitation of an application's database, software developers encrypt login details before storing them. This way, if an attacker gets hold of the database, they can't decipher user login details. 

Applications that don't encrypt login details are vulnerable to attack. If an attacker gets hold of the application's database, they can easily log on to any user’s account. Attackers can also exploit login details of users if they're sent over to an application unencrypted.

Session Hijacking

Session hijacking is a type of attack that occurs when an attacker takes over a user's web session after the user successfully logs into their account. To accomplish this, the intruder compromises session tokens. 

Session tokens are encrypted strings that differentiate user connections to servers. When an attacker can predict session tokens, or log on using stolen tokens, they can access user accounts. 

We shouldn't mistake session hijacking for session fixation. In session hijacking, an attacker hijacks a user session after the user logs in. In session fixation, the attacker launches an attack before the user logs in by tricking them into clicking on a stolen session ID. 

Rainbow Table Attacks

Although software developers take the extra step of encrypting user login details, they're not safe from attackers. This is because attackers can exploit an application's database if the database is exposed. Attackers can decipher password hashes using the rainbow table method. 

A rainbow table is a table of reversed hashes. An attacker who has a rainbow table can collect password hashes and decode them using the table. 

Prevention of Broken Authentication

In this section, we'll explore the methods to prevent the different broken authentication vulnerabilities described above. 

Session Timeout

A session timeout is an event that can cause a session to expire. When a session expires, the ID becomes invalid and the user needs to present their credentials for authentication again. 

Developers can implement a session timeout programmatically so that users can't continue with an existing session after some designated length of inactivity. This prevents intruders from reusing an existing session ID. Developers can implement a session timeout in HTTP clients by specifying timeout in http.Client.

var httpClient = &http.Client{
Timeout: time.Second * 10,
}

Golang Broken Authentication Guide: Examples and Prevention image

Locking Accounts

Locking an account after a number of unsuccessful authentications is a broken authentication prevention method. Since a brute force attack involves an intruder repeatedly guessing a user's password many times, locking accounts can stop an intruder from accessing a user account. 

Another method is to lock authentication attempts from device cookies. This way, attackers can't access user's information by manipulating cookies. Developers can also require users to provide stronger passwords during registration. Using a CAPTCHA can also reduce brute force attacks, since brute force attacks are mostly executed by computer programs, which can’t successfully evade a CAPTCHA. 

Adding Salt to Hashes

Incorporating salt into hashes adds extra security to an application. Salts add a unique string of characters to passwords before hashing. This prevents attackers who use the rainbow table method from deciphering passwords. For instance, developers can add random salt to password hashes using Golang's bcrypt. An example of how to use bcrypt is shown below:

package main

import (
    "golang.org/x/crypto/bcrypt"
    "fmt"
)

func main() {
    password: = [] byte("MyPassword")

    // Hashing the password with the default cost of 10
        hashedPassword,
    err: = bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(hashedPassword))

    // Comparing the password with the hash
    err = bcrypt.CompareHashAndPassword(hashedPassword, password)
    fmt.Println(err) // nil means it is a match
}

Automated API security testing in CICD

Conclusion

Implementing authentication is an important aspect of software development. For this reason, IT firms hire security experts to keep make sure their products have secure authentication. 

Although implementing authentication and eradicating vulnerabilities may seem like a lot of work, software tools can make it seamless. For instance, with tools like StackHawk, developers can easily monitor and fix vulnerabilities that attackers can exploit.   

This post was written by Ukpai Ugochi. Ukpai is a full stack JavaScript developer (MEVN), and she contributes to FOSS in her free time. She loves to share knowledge about her transition from marine engineering to software development to encourage people who love software development and don't know where to begin. 


StackHawk  |  March 17, 2022