Broken authentication refers to a group of internet application vulnerabilities that may lead to theft of user sessions. That is to say, in a broken authentication, an attacker attempts to impersonate actual users of a service. Similarly, Laravel broken authentication refers to vulnerabilities that can lead to the theft of user sessions in a Laravel application.
Hackers take advantage of broken authentication using different methods. For example, a hacker can intercept HTTP requests that contain sensitive data over an unsecured protocol. Other methods include exploiting the use of weak passwords and phishing.
Broken authentication is a very serious vulnerability in web applications. According to OWASP, "Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools." Broken authentications in Laravel applications can make your application easy to hack.
In this post, you'll learn what Laravel broken authentication is and look at examples and possible ways to prevent each vulnerability. In order to understand the topic better, let's take a look at what sessions and authentication are. We'll refer to both terms a lot in the rest of the post.
Meaning of Session and Authentication
Session and authentication are often used together. They’re related, but they mean two different things. Your application may start a session for a user before authentication.
A session identifies a specific user at a given time point or period of time. A new session starts when a user visits a website and the session stays active until they leave. Most websites terminate the current session after a certain time of inactivity.
Usually, a web server assigns a unique ID to each session, known as the session ID.
A common example of authentication is a login system verifying a username and password combination. Authentication provides users of your web application with a means of identifying themselves. After successful authentication, users can access personalized content.
Laravel comes out-of-the-box with an authentication feature. Developers can choose to use Laravel's default authentication system or implement their own. Poor implementation of authentication can leave your Laravel application vulnerable to broken authentication.
Examples of Laravel Broken Authentication
Now that we know what broken authentication is, let's take a closer look at Laravel broken authentication, using the following examples:
Stolen login credentials
1. Session Hijacking
We can also refer to this type of exploit as session stealing. It involves an attacker getting hold of a user's session ID. The attacker can then use the stolen ID to impersonate the user without even knowing their username and password. The stolen session grants direct access to the user’s account.
Hackers use several methods to steal sessions. For example, attackers can steal session IDs from non-HTTPS requests. Another method uses your application's URL. Some applications include a user's session ID as a URL parameter. This makes it easier for attackers to steal user sessions. The following is an example of session ID in a URL:
You can prevent or defend your Laravel application against session hijacking by enabling HTTPS for all requests. HTTPS requests are secure and encrypted using TLS. As a result, it’s difficult for anyone to steal session IDs during the communication between a client and server.
In case an attacker manages to gain access to a valid session ID, you can still defend against impersonation of a user by implementing some form of verification. For example, you can check if the source of the new request has the same IP address as the original owner of the session. However, this practice can lead to a poor user experience because a user's IP address can change during active sessions, resulting in false positives.
Also, avoid using values that are easy to predict for the session ID. Session IDs should be unique and hard to guess. Best practices are to generate a new session ID for users once they log in and eliminate session IDs from URLs.
2. Stolen Login Credentials
This type of Laravel broken authentication vulnerability involves an attacker getting hold of the actual password and username of the victim. Just like the last example, an attacker can use different methods and tricks to steal user login details.
The use of weak passwords is a common cause of stolen logins. Short passwords are weak and easy for an attacker to predict. For instance "123456", "password", and "qwerty" are examples of popular weak passwords. A report by password manager, NordPass shows "123456" as the most popular password in 2020.
Another cause of stolen login credentials is storing and sending passwords as plain text. Passwords stored as plain text can become easy targets for attackers. Attackers can use other security vulnerabilities, like SQL injection to gain access to an entire database of user login credentials.
The third method hackers use is phishing. Phishing is a very serious cyber-security threat and there's very little you can do as a developer to defend users against it. In phishing, an attacker tricks users into submitting their username and password on a form the attacker controls. For example, an attacker may send an email to unsuspecting users pretending to be a service they use. Such emails contain a link to the phishing site, and if the user clicks on that link and completes the form, they give away their login details.
Now, let's walk through some ways of fixing Laravel broken authentication due to weak passwords.
The first thing to do to prevent the password exploit is to enforce a strong password policy that prevents users from signing up with easy to predict passwords like "123456" and "password." For example, you can require that users include both uppercase and lowercase letters in passwords, as well as numbers and special characters.
In addition to a strong password policy, you can reduce the chances of Laravel broken authentication by setting up a login attempt limit. This allows users to retry logging in only a few times after they enter a wrong password. Attackers may use a trial and error approach (brute force) to guess login details. Limiting login attempts gives them fewer trials, and thus, reduces risk.
The following code shows how you can implement a login attempt limit in Laravel 8:
Route::post('/login', [LoginController::class, 'login'])->middleware("throttle:8,2");
This code adds the built-in Laravel throttle middleware to the login route. The middleware limits the route to eight requests within two minutes.
To prevent Laravel broken authentication due to database breaches, never store passwords in plain text. You should also have HTTPS enabled for login and registration pages and for endpoints. That is to say, never transmit passwords over insecure protocols.
The last measure we'll consider is using multi-factor authentication. This method even provides some defense against phishing, as it requires users to enter a token, usually sent via email or SMS. However, this method may fail if the user's email is also compromised. An effective way to reduce the danger of phishing further is to educate and discourage users from interacting with suspicious sites.
We've come to the end of this post on Laravel broken authentication and here are a few things to note:
Broken authentication is a name for several web application vulnerabilities that can enable attackers to impersonate legitimate users.
Laravel applications are vulnerable to broken authentication exploits.
Practices like using HTTPS, strong password policies, login attempt limits, and multifactor authentication can greatly reduce the risk of Laravel broken authentication.
This post was written by Pius Aboyi. Pius is a mobile and web developer with over 4 years of experience building for the Android platform. He writes code in Java, Kotlin, and PHP. He loves writing about tech and creating how-to tutorials for developers.