Authentication is a process that plays a major role in securing your website and applications. When a user comes to your site and needs to access a particular area, they provide their username and password to authenticate themselves and prove their identity. The application then provides the user with access and provides them with a set of pre-defined privileges based on the their identity and credentials entered. While authentication is intended to give you an extra layer of security, a hacker can use the common HTTP protocol to manipulate this process and gain entrance into your website.

When a hacker uses authentication to break into a website, they are able to do so by proving to the application that they are a known and valid user. This in turn, gives them access to whatever privileges you have assigned to the legitimate user. So, if an attacker is able to enter the system as a normal user, they may only have limited to specific information. However, if they manage to gain access as an administrator with unlimited access across the system, they would likely have total control of the victimized application and all the data it contains. This could be very damaging if you are storing customer data and other critical information on your website.

The Hacking Tool of Choice

In the average authentication attack, the hacker first attempts to gain access to the screen where the application requests login and password credentials from the user. The next step is to enter the details the application recognizes as valid to grant access to the system. Although it isn’t the most sophisticated attack, many hackers have found that guessing the password is one of the most powerful tools to defeat authentication. This technique can be employed manually or through automation as many tools exist for this very crime. Without a secure password, a brute force attack can bypass authentication in a matter of seconds.

Fighting Back Against Authentication Attacks

In order to learn whether or not their attack was successful, hackers use automated tools that access error codes and web page information from the web server. A good way to deter this attack is to configure the server where any errors or unexpected requests generate an “HTTP 200 OK” response opposed to standard 400-type errors. By doing this, you will make it harder for the attacker to differentiate between valid and invalid logon attempts.

One of the most effective ways to prevent automated authentication attacks like brute force is to add random content on the web page presented to the authenticating browser. In order for this to work, the browser must have the ability to successfully submit random content as an inclusion of the authentication process, thus enabling one to proceed further in the application or website. You can do this by presenting the random phrase in a graphic format such as GIF, JPG or PNG using random fonts or colors every time. This will make it almost impossible for the hacker’s automated tool to succeed and crack authentication.

Courtesy [deleted by mod :: new users aren't llowed links/signatures]