User authentication is an important security measure put in place to protect your website and it’s applications, however this very same system can be used to a hacker’s advantage as well. When your website’s users require access to a certain area of the site, they must provide their login information (username and password) to prove that they are an authentic member of your website. Once the identity of the user has been validated based on the provided information, the authentication application then grants them access to that area of the site. While this helps to deter the novice hacker, a more advanced intruder can use simple HTTP protocol to circumvent this process and gain access to sensitive ares of your website.
What Can Happen
A hacker can use the authentication process to invade a member area by falsely convincing the authentication application that they are indeed a valid user. If the hacker only has the ability to access your website as a standard user, then the damage they can inflict will be minimal. However, if the hacker can gain administrative access to your website, they can take complete control of the website and all of it’s stored data in a very short period of time, usually within an hour or two. Of course this could be a potentially fatal situation to your online business, especially if they gain access to critical financial information.
The Process of False User Authentication
Usually the process begins with the hacker finding the login screen where they can enter the necessary information to complete authentication. Once they’ve found the location of the authentication login page, they can then enter the URL of the login page into a hacking software that will repeatedly enter random information into both fields until a working combination is found. Many times the hacker will simply try this process manually before resorting to using the automated software. For this reason it is important that you do not use a simple or default administrator username and password such as “admin” or “1234.” When the hacker uses an automated program to bypass user authentication, it is known as a “brute force attack.”
Preventing and Combating False User Authentication
Hackers use tools that return error codes and other information from the web server to find out when their attacks are working, essentially repeating the process in a trial and error fashion until no error message is returned. One way to keep hackers from accomplishing this is to adjust the server configuration to generate an “HTTP 200 OK” response whenever an unexpected request is ordered. Effectively this will make it very hard for the hacker to understand which attempts work and which attempts were denied. Another effective way to prevent brute force attacks is to place random phrases that must be re-entered by the user requesting access. This is called a “De-captcha” and it can be downloaded as an application and used in conjunction with your control panel. De-captcha tools make the process of false user authentication very difficult to bypass for most hackers.