A Security Flaw In The Login Pages Of Web-Based Applications Or Websites Can Allow Hackers To Easily Bypass Security Mechanisms And Gain Access To Important Parts Of A Website. 

This article examines the most common security problems of website login pages that interest hackers.

Favorite pages of hackers

First, let’s talk about website login pages with security issues. Website login pages, also known as user pages, are more of a target for hackers than any other page and should be carefully evaluated.

If there is even a slight weakness in a login page, hackers can exploit it. Security experts suggest website owners use an authentication mechanism and apply restrictions for each user account to secure the login page.

The critical thing to be aware of is that some authentication mechanisms have vulnerabilities. That’s why it’s essential to perform security tests when implementing them. In the following, we briefly describe the common vulnerabilities of login pages.

No security lock

Typically, hackers go to websites whose login page lacks protection against password guessing. Hackers are particularly interested in these login pages because it is possible to implement various types of attacks on these sites.

Also, hackers can use simple and free tools to guess passwords and implement attacks such as blanket searches. With this description, we must say that one of the defects we see in the login pages is the lack of a locking mechanism.

This flaw allows hackers to use a wide variety of automated tools or manual processes to access passwords and succeed in a short amount of time. When the login screen lacks security locks, hackers can enter passwords repeatedly until they grow.

Descriptive error messages

Users who enter an incorrect password on the login page will see an error message stating that the password is incorrect. Suppose the screen lock mechanism is not enabled, or the web developers provide unnecessary details to the user on the screen, such as you have entered a wrong username or the incorrect password associated with this account. In that case, hackers will know that they need to try What to test and what not to test.

Let us explain this by giving an example. Suppose a user tries to log in to a website and uses an invalid username, then the system will show him an error.

The errors that the user may receive are as follows:

• Account not found.
• The username is wrong.
• The password is invalid.
• The password is not entered correctly.
• The Caps Lock key is on or off.
• There is no user with this profile.
• The username includes uppercase and lowercase letters.
• The username does not contain numbers.
• And other similar cases.

Suppose any of the above statements are displayed to the user when entering passwords incorrectly on the website login page. In that case, it is wrong because they provide essential clues to hackers on how to get past the username and password barrier. For example, the hacker knows he can crack the password through an extensive search attack and trial and error.

Direct display of errors

One of the biggest security problems faced by websites, especially hosts, is the problem of excessive technical information. Unfortunately, some web developers are poor at coding and have not prepared code pages to handle errors. As a result, when an error occurs, the hacker can access the technical details. For example, it looks at the code on the web page that caused the problem. In general, users do not need to see error codes that are useless to them.

 Weak passwords

Weak passwords are vulnerable to dictionary attacks, wildcard searches, etc. Every year, various types of research are conducted in this field, which shows that users and even website administrators still use such weak passwords. Unfortunately, statistics show that some users still use passwords like 111111, abc123, qwerty, 1234567, and similar examples. These types of passwords are known to hackers and are included in the dictionaries used by hackers.

Weak passwords are one of the main reasons for security problems and cyber attacks. It’s not hard to find web applications that have less-than-strong password policies.

Another problem with user-selected passwords is their shortness.

The above vulnerability is expected because the developers ignored security issues while coding and did not require users to use at least 8 or 9 characters that are a combination of letters, numbers, and symbols. Unfortunately, most users prefer to use five characters or fewer passwords. Why does this problem still exist?

Some website owners say: “Our users don’t like strict policies and prefer to choose simple passwords for their user accounts. We also respect their opinion.” The reality is that you need strong passwords. Another problem that is often seen and especially faced by Iranian websites is the ability of users to copy and paste passwords in the relevant fields. Hackers or malware can read primary memory information and steal passwords.

Failure to take measures to complicate passwords

It’s one thing to tell users to choose a combination of uppercase and lowercase letters, numbers, and special characters for passwords and another to have policies in place. Some websites tell users to use complex passwords during registration but do not have clear policies in this regard. If you do not require the user to follow the rules when entering passwords, users will act according to their will and use simple passwords.

Failure to protect login pages using encryption protocols

Another major vulnerability of websites’ login pages is the lack of encryption of sessions. As a result, information and cookies related to users’ sessions are created in clear text, and information is exchanged. A bigger problem is that some websites use old versions of TLS or expired SSL certificates. In either case, the website will be vulnerable to man-in-the-middle attacks.

Lack of multi-factor authentication

Another common vulnerability is not using a multi-factor authentication mechanism. This functional feature significantly increases website security. In a situation where Google uses a multi-factor authentication mechanism for Gmail e-mail, we see that some Iranian websites are indifferent in this regard.

The multi-factor authentication mechanism means that if a hacker knows the username and password to log in to a user account, he still needs a code sent to the phone number specified by the user to log in to the website. Google says that enabling the above feature on Gmail accounts has significantly decreased the hacking of Gmail user accounts.

Multi-factor authentication (MFA) or two-factor authentication (2FA) refers to the process in which the user must enter the code he receives in the corresponding field to verify his identity and enter the user account. Multi-factor authentication creates a double layer of defense so that hackers fail to gain access to user accounts most easily. In this case, the attacker faces one or more additional obstacles if an agent is compromised or broken.

Is the multi-factor authentication mechanism risk-free?

While multi-factor authentication seems powerful, it can be troublesome if misused. Among the risks surrounding the above mechanism, the following should be mentioned:

No time limit: Let’s say we have two-factor authentication that will send a code to your mobile phone. If the code is sent to your mobile phone, anyone who has access to your phone (in any way) can easily use that code. Suppose no time limit is taken into account when the code is used. In that case, the user is exposed to significant risk because authentication does not guarantee security and creates a huge vulnerability.

For this reason, to prevent such a problem, you should set a time limit. For example, the code sent to the phone should be valid for 30 seconds or 1 minute.

No limit on the number of times a PIN code can be used: suppose a code is sent to the user’s mobile phone, and you set a time limit of one minute for it. In the world of hacking, some tools can guess different combinations in short periods. If there is no limit on the number of times the code can be used, you have created a vulnerability in your security mechanism.

Therefore, to prevent the above problem, it is better to lock the user account after entering the wrong code several times, or the user will not be able to enter identity information for a certain period.

The shortness of the sent PIN codes: Another point you should pay attention to is the number of characters of the code you send to the user. If the regulations are too short, hackers can easily guess them. Also, hacker tools will be able to identify the principles in a short time. For this reason, do not forget to use the minimum number of safe characters for codes. The correct value is six characters.

Password guessing attack

Some sources call the password-guessing attack a sweeping search attack. This attack attempts to identify combinations used to discover a password by combining letters, numbers, and symbols until a correct variety is determined.

For this reason, the account lockout mechanism is recommended after several incorrect password attempts. In the omnibus attack vector, the attacker tries usernames and passwords until he finds the right combination.

This attack will succeed if weak passwords are used. Unfortunately, many free hacker tools can be used to implement these attacks successfully. It is recommended to enable the number of failed attempts to log in to the accounts so that the account is locked after entering the wrong username and password a certain number of times.

Typically, the account should be locked after three to five failed attempts. There are policies for choosing passwords To prevent the successful implementation of a random search attack, as follows:

• Passwords must be at least eight characters long.
• Passwords must contain a combination of letters, numbers, and symbols.
• Passwords must be a combination of uppercase and lowercase letters.
• Passwords should not contain names or known names.
• Do not use three identical characters in a row in the password.
• Consecutive characters such as ABC or 123 should not be used in passwords.

If possible, prepare a blocklist so that users cannot guess weak passwords in the blocklist.

Some web developers say that multi-factor authentication creates security problems when logging into websites. It is true, but as long as the website’s security faces a severe challenge, the available solutions should be best used. Another solution is to use a captcha. Captcha must be embedded on the website login page and completed correctly before clicking the submit button. Captcha does not create a strong security barrier, but it can solve the problem of pervasive search attacks.

In this case, hackers have to do most of the work manually, which increases their detection rate. Captcha’s working mechanism is that if any user has five unsuccessful login attempts in 30 minutes, the program considers it a pervasive search attack. In this case, the application asks the user to enter the captcha pattern correctly.

last word

In this article, we tried to talk to you about the common problems of websites and login pages and the hidden vulnerabilities in these pages. However, don’t forget that each of these sections has detailed information. As we mentioned, the login pages of websites are of interest to hackers located because the developers ignore the necessary security measures to protect these pages.

That’s why login pages are among the most vulnerable parts of websites. Also, in most cases, website owners are not interested in using a two-factor authentication mechanism, so you shouldn’t simply skip this issue.

Web developers should evaluate these essential items and troubleshoot them before performing penetration testing. In most cases, paying attention to these fundamental issues helps to make the penetration testing process less complicated and faster.