When creating applications that require rigorous user management, it’s important to consider all aspects of implementation. It should be easy-to-understand for the user, easy-to-navigate, but most importantly, it should be as secure as possible. Data leaks and breaches have become extremely common in the 21st century, users are catching on as well, taking SaaS application security measures.
Many attacks take place on your authentication service. Authentication is one of the most critical components of any application. As the first line of defense, it provides the way for applications to identify if the resource requested is indeed authorized to be accessed by a specific user.
A tech company must constantly evolve with new authentication and user management technologies so that their users’ data is always safe and secure. In this post, we’ve gathered the most common security attacks you should guard against when selecting a user management system or figuring out your SaaS authentication processes.
So, let’s talk about some common attacks on authentication…
As per this FBI report, phishing was the top committed cybercrime in 2020, with 241,321 reported incidents. Phishing campaigns can be targeted to a specific person of interest to compromise access to a particular resource. It can be targeted to a mass scamming them to compromise access, leak their data, or just earn money from scamming.
Phishing’s main purpose is to convince unassuming users that they are entering their details for a legitimate purpose but by faking that interface. One of the most common phishing attacks is the attack on the most popular social media platform, Facebook.
To compromise access to a Facebook account, attackers set up a page looking exactly like the authentic login page of Facebook with username and password fields. Link to the phishing webpage is then sent to targets; when a user opens the link and enters their login details, instead of sending the details to the login, attackers get the login details and divert the victim to the original webpage.
Generally, this can be prevented by two-factor authentication. Still, some attackers are willing to go to the next level to bypass the two-factor authentication via reverse proxy tools such as Modlishka and use that to phish users to share their one-time passwords.
Phishing can also be seen in the banking industry, where attackers send the webpage looking precisely like the bank page and steal the various sensitive details such as login and credit card details.
We know two-factor authentication provides better security for the user. Attackers have already come up with various ways to compromise the access secured with the two-factor authentication, via exploiting the weakest link in the security chain, i.e., humans.
After getting the target user account’s password via various methods such as brute-force, phishing, or exploiting the application vulnerabilities, attackers need to know the one-time password sent to the user’s mobile number/email address. To do this, attackers spoof a message to trick users into sending one-time passwords to the attackers.
The message sent by the attacker will imitate a legitimate website or service you use so that it doesn’t look fake. In the message, they will include a link or a file that, upon downloading, will attach malware to your phone. This malware will effectively transmit all of your SMS messages to the attacker, so that any OTP they generate using your details will also be accessed by them through the malware.
General Web Attacks
There is also a possibility of website developers not implementing various security services and protocols, resulting in vulnerabilities left behind in the website, which an attacker can later exploit. Typically, the impact of a website attack can be from the website being down for a while, to compromising all users’ data.
One of the most common website attacks is SQL injection.
While authenticating the entered username and password, the backend forms a SQL query (in a website that uses SQL for the database), which queries the database to check if there is an account with the username and password of the user.
Here, suppose the backend does not sanitize the users’ details and directly processes them into the SQL query. In that case, attackers can modify the input to get the SQL server to execute the SQL queries of the attacker’s choice. This could result in the complete compromise of the website’s database storing user data.
Another example is cross-site scripting (XSS).
In XSS attacks, the attacker attempts to attach malicious code to a legitimate site in the expectation that an unsuspecting user will fall victim to it when they load the site. The code is often attached at the end of the URL or pasted to a page that contains user-generated content. It is effectively a client-side code attack.
This sort of attack can be detrimental as it can access a user’s cookies and extract login credentials for important websites, or help attackers gain access to geographical locations, webcam data, or other such sensitive information.
To avoid this sort of attack, one way is to introduce validation checks for user inputs to make sure only the correct type of data is being entered.
There are other types of web attacks as well, like Cross-Site Request Forgery (CSRF) or Denial of Service attacks. OWASP goes further in-depth for these types of attacks and more.
Securing client-facing applications is a complex task, but complying with industry standards and preparing against the worst-case scenarios makes it possible to provide a completely secure experience to the users. In this article we’ve described some of the popular attacks that could be performed on your user management and identity infrastructure. Ultimately, your choice of user management tools and services along with a definitive action plan for how you want to secure your data will help you create a workflow that is secure and not inconvenient for your users.
Frontegg provides an end-2-end user-management solution that contains the most secure and granular security policies, features and measures so that the risk for a successful attack on your users infrastructure is minimized to zero.