University of Twente Student Theses
Vulnerability Testing for WebAuthn
Chen, Peizhou (2024) Vulnerability Testing for WebAuthn.
PDF
4MB |
Abstract: | Authentication is crucial to maintain confidentiality on the web. Passwords are vulnerable to data leaks, reuse, and phishing attacks. To mitigate these, FIDO2 offers a more secure and easier way to authenticate. However, the complexity of the protocol might leave developers with wrong assumptions, leading to vulnerable implementations. Currently, there are not many tools available to assess server-side misconfigurations of FIDO2 implementations. This thesis proposes a novel methodology to create a Burp Suite extension that can be used in black-box penetration testing engagements. We implement a tool that identifies and addresses misconfigurations, along with exploring potential attack vectors. This can enhance the testing efficiency by automatically scanning for twenty-five test cases. We have conducted tests on five public websites, in which three did not fully comply with the security practices of the official WebAuthn standard. Furthermore, one of these misconfigurations led to a full account takeover. We also introduce a novel Cross-Site Request Forgery attack tailored to exploit the improper session management of web services during WebAuthn operations. This attack can result in a complete takeover of user accounts. Our testing covered thirteen websites, with one being vulnerable to this attack. This work contributes to a better understanding of FIDO2/WebAuthn implementation security. We aim to provide insights into the potential security risks associated with the incorrect implementations of this promising protocol. |
Item Type: | Essay (Master) |
Clients: | Computest, Zoetermeer, the Netherlands |
Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
Programme: | Computer Science MSc (60300) |
Link to this item: | https://purl.utwente.nl/essays/98532 |
Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Repository Staff Only: item control page