When an actor claims to have a particular identity, the program either does not prove or does not sufficiently verify that claim. Improper Authentication is a vulnerability that describes the ineffective techniques for verifying a user's identity.
This flaw could be exploited by multiuser systems and apps that use multiple permission levels.
This flaw happens when an application incorrectly verifies a user's identity. An attacker can access certain rights within the application or expose sensitive information if software wrongly checks user login information or permits the use of different forms of malicious credentials collection (e.g. brute force, spoofing).
The "id" argument in the HTTP GET request is used by software to assign privileges within the application. For example, if the option is set to "user," the application will allow you to view the data; if it is set to "admin," you will be able to update the data on the page.
http://vulnerable.com/index.php?view=1&id=user http://vulnerable.com/index.php?view=1&id=admin
An attacker who sets the "group" option to "admin" will be allowed to change the website.
The previous example is simply a demonstration of how the flaw works. However, in real-world circumstances, poor Authentication can be caused by various factors, including software misconfiguration, human error, etc.
This flaw can expose resources or functionality to unauthorized individuals, exposing sensitive information or allowing attackers to run arbitrary code.
An attacker can take advantage of this flaw via various methods, including brute-force attacks, session fixation, and Man-in-the-Middle (MitM) attacks.
Tools and techniques that involve manual (human) analysis, such as penetration testing, threat modelling, and interactive tools that allow the tester to record and change an active session, can be used to discover this flaw. Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
Robust authentication procedures, including anti-brute force and session protection mechanisms, are recommended to protect the application against this flaw.