Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly
authenticate. Web-based administration tools are a good example of
web sites providing access to sensitive functionality. Depending on
the specific online resource, these web applications should not be
directly accessible without the user required to properly verify their
identity.
To get around setting up authentication, some resources are
protected by "hiding" the specific location and not linking the location
into the main web site or other public places. However, this approach
is nothing more than "Security Through Obscurity". Its important to
understand that simply because a resource is unknown to an
attacker, it still remains accessible directly through a specific URL.
The specific URL could be discovered through a Brute Force probing
for common file and directory locations (/admin for example), error
messages, referrer logs, or perhaps documented in help files. These
resources, whether they are content or functionality driven, should be
adequately protected.
Example
Many web applications have been designed with administrative
functionality location directory off the root directory (/admin/). This
directory is usually never linked to anywhere on the web site, but can
still be accessed using a standard web browser.
Since the user or developer never expected anyone to view this page
since its not linked, adding authentication is many times overlooked.
If an attacker were to simply visit this page, they would obtain
complete administrative access to the web site.
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second Insufficient Authentication attack vulnerability test.