As of the present, there are at least four different authentication methods created specifically for web applications and these are: basic authentication, digest authentication, forms-based authentication, and single sign-on (SSO) authentication and shared authentication.
Basic authentication is a form of authentication method wherein a certain file with .htpasswd extension is needed and the document includes the credentials of the person who has received consent to gain access into a resource. In addition, there is also a need to add this file into a fully-protected directory.
The second authentication scheme is the digest authentication and this is the method that is widely used by the web servers in today’s time. This is utilized for the purpose of bargaining for credentials between the server and the users. Digest authentication had been considered to be a very acceptable scheme but it did not create that kind of impact, as based on the technical reports.
Forms-based authentication is mostly utilized among the three other authentication schemes for the reason that it has a special capability to create a connection with the DBMS and also to track user sessions. And, last but not the least are the single sign-on authentication and shared authentication methods, which are deemed as property of access control. This allows a user to access all parts of a system by just logging in once.
Brute Force Attack
There are certain attacks that target the authentication schemes of web applications and these include the following: brute force or dictionary attacks, phishing, and others like malware and keyloggers. Brute force or dictionary attacks occur in such a way that it imitates a user while attempting authentication with a specific web application. The tools utilized in this method of breaking into authentication schemes are Brutus, wwwhack, AccessDriver, and thc-hydra. This may be prevented by setting up an account lockout and IP blacklisting.
Phishing is known to be as a high-risk procedure of breaking the SSO and the schemes that are related to the shared authentication. This is considered to be as a direct type of man-in-the-middle attack. This occurs by concealing itself in a mask that appears as a website with the sole purpose of gathering sensitive data from the users. Certain defense systems were recommended to fight off this attack and these are the use of URL scanners, OpenDNS, as well as the PhishTank.
Scan your website with the Penetrator auditing software and see if you are vulnerable to the different types of attacks.
If your server is wide open to attack secure it properly before it is too late.