Welcome to my comprehensive series on the Top 5 Security Considerations for a New Web App. This post, focusing on Authentication and Authorization, is part of a broader effort to equip folks like you (developers, IT professionals, and web administrators) with essential security knowledge for proactively safeguarding their web applications. Throughout this series, we explore the critical security measures that are fundamental to the development and launch of a secure web application. For a complete overview and the context of this series, I invite you to read the Introduction post. This foundational understanding will enhance your grasp of why each consideration plays a vital role in the lifecycle of a web application in the initial buildout and the days immediately following the launch. Join me as we delve into the best practices, strategies, and real-world applications that underscore the importance of implementing robust security measures from the ground up.
Previous: Secure Coding Practices
2. Authentication and Authorization
In the intricate web of web application security, authentication and authorization stand as critical gatekeepers. These processes ensure that only legitimate users can access an application and that they can only perform actions within their permitted scope.
Authentication involves verifying a user's identity. This is often the first line of defense against unauthorized access. Key practices in robust authentication include:
Authorization, on the other hand, determines what an authenticated user is allowed to do. It's about controlling user access levels and permissions within the application. Implementing role-based access control (RBAC) is a common and effective strategy in managing user permissions efficiently and securely. For web applications, authorization is most commonly done using a bearer token or a cookie. In implementations that aim to reduce or eliminate server-side state management for user sessions, bearer tokens typically use a signature to provide tamper resistance, which is critical to the trustworthiness of the token.
In addition to simply having authentication and authorization implemented in the application, it is important to ensure that the user-supplied credentials (e.g. username and password) and resulting values (e.g. session cookie, bearer token) are safely handled within the application. The security provided by these controls is undermined if there is leakage of these values to other users within the app, or to third parties with which the application interacts.
A Case study - Leaking Auth Tokens - Facebook (2017)
The 2017 Facebook breach, stemming from vulnerabilities in the platform's "View As" feature, serves as a pivotal case study on the complexities and critical importance of authentication and authorization in web application security. This breach, disclosed by Facebook in September 2018, impacted approximately 50 million users, making it one of the most significant security incidents for the company at that time. The vulnerability allowed attackers to steal Facebook access tokens, which are the credentials that keep people logged in to Facebook, thereby bypassing authentication measures and gaining the ability to take over user accounts.
The "View As" feature was designed to allow users to see their own profile from the perspective of someone else, a tool intended to provide users with more control over their privacy settings. However, this feature inadvertently introduced a security flaw that exposed a user’s access token accounts they were friends with. Specifically, the breach was a result of three distinct bugs in Facebook's video uploading feature that interacted with the "View As" feature in a way that allowed attackers to obtain access tokens for other users. These tokens could then be used to access and potentially take over the accounts of those users. This then allowed the attackers to target the accounts that were friends of the compromised users, and repeat the cycle.
Facebook's response to the breach included resetting the access tokens of the approximately 50 million accounts they believed were affected, as well as an additional 40 million accounts that had been subject to a "View As" lookup in the last year as a precautionary measure. This reset effectively logged out those users, requiring them to log back in—a step meant to secure their accounts. Furthermore, Facebook temporarily disabled the "View As" feature while they conducted a thorough security review.
Facebook’s public statement on this breach is available here: https://about.fb.com/news/2018/10/update-on-security-issue/
In Summary
Here are the core authentication and authorization things that I would want to make sure are correctly implemented before launching a new application:
Related Materials
1. OWASP Cheatsheets on Authentication, Authorization, and Authorization Testing
2. Auth0’s guide on selecting an OAuth 2.0 Flow (https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use):
OAuth 2.0 flows are commonplace today, especially when using third-party identity providers such as Auth0, AWS Cognito, or even some self-hosted providers like KeyCloak. This is a good starting point for understanding the different flows and security trade-offs between them.
Next: Data Encryption and Protection