Importance of Validation and Authentication in Applications (Mobile / Web)

NOTE: In below scenario I will be considering myself as an attacker and will explain accordingly. Consider user1 is mapped on attacker’s mobile number and user2 is mapped on victim’s mobile number.

In this blog I will be talking about the mobile application which I was testing for the client (Cannot reveal the client’s name or application name). It is a mobile application in which user has to verify himself/herself as a legit user and after the successful verification of the user he/she have to activate his/her customer ID, everything has to be done on the user’s device itself. The activation process can be done using three options and it is upto the user how he/she wants to activate the user verification. So, lets get to the process how I have bypassed both the verification and authentication and did account takeover of the other user.

The developer has provided user id such as “user1” and “user2” and will be mapped with the respective user’s mobile number and all the verification and authentication process will be done through that mobile number only. As we were performing security testing on the application, we asked for two users to be mapped on two different mobile numbers, consider user1 is mapped on my mobile number and user 2 is mapped on victim’s mobile number. So, according to the process attacker have to activate his user on his mapped number and attacker did it successfully and I can see my dashboard with the user1 name and the details the user should have on his/her dashboard while performing the testing. I used burp suite to capture the request and response of the application to see what data is getting passed through the request and what data is coming from the server in this case both the request and response were encrypted so no scope of tampering the specific data for account takeover.

While going through the captured request and response, I came across some of the requests which I thought might get manipulated and I decided to activate the user again and perform the verification and activation process again but this time I copy-pasted the activation request and the response of one of the activation ways in notepad separately and activated my user, now attacker tried to activate the other user user2 from attacker’s mobile number which is mapped with the victim’s mobile number. So, at first, while doing it normally the server gives me an error message stating Verification Failed, then again, I performed the same but this time I have set proxy and capturing the request of each step.

Please find the steps of bypassing verification and authentication.

Bypassing Verification of User2 on Server side

· I clicked on to activate the user and internal process happen.

· The attacker was redirected to the next activity as it was the mobile application which a page with verify button on it, on clicking on that button the user will get verified and will ask to set the pin.

· As the attacker is activating from his mobile device, the attacker will get an error message of verification failed, so attacker did it again but this time, he has the activation request of his user so he hit the verify button again captured the request and tampered the request with the successful activation request of user1. (Verification request has been replaced with activation request of another user)

· On successful execution of the above request tampering, the application will redirect to the activity where we have to set a pin for user2. After setting the pin we will see a welcome message states that welcome and please log in to the application to complete the activation process.

By the steps mentioned above, an attacker can successfully bypass the verification/Server-side validation in the application. Here I would like to mention that there is no verification of user as well as I have used the request of the other user while the activation and then I logged out of the application and session is not validated here as well.

Bypassing Authentication via OTP functionality

Now login into the application with the pin and then it will ask you to activate the user by OTP.

· Using OTP, an activation code will be sent to the victim’s mobile number.

· Here we didn’t have the OTP with us, so technically the authentication should get failed for any random OTP. Still, put any random OTP and continue further. Now as the attacker have the successful OTP response of his user i.e. user1. Let’s tamper the OTP verification response of the user2 with the response of user1.

· On successful execution, we will be able to see the dashboard of the unauthorized user and can view the data (cannot show the dashboard of the user).

In the above steps, the attacker has bypassed the authentication in the application by tampering the response without any validation.

Learning from this:

1. There should be strict server-side validation on critical fields like customer ID and mobile number.

2.There should be strong encryption at every Step in the application.Session id should be generated for the complete process and session id should be random and should get expire after a particular time period.

3. OTP generation mechanism should validate the Mobile number and Customer ID as well..