Skip to Content

how to restrict bypassing of authentication


HI experts,

we have second factor authentication involved in our portal product , by using hacking tool burp Suite im able to capture the response and request coming from the server .

Case 1 : user have primary authentication with user name and password , and secondary authentication as his OTP send to his mobile , after entering this OTP , he can login into the portal .Now at the end stage im getting an Authenticated response from the server as show below

HTTP/1.1 302 Found
content-type: text/plain
set-cookie: MYSAPSSO2=********************************************************************************************************************************************************************************************

***************************************************************************************************************************************************

************************************************************************************************************%3D;path=/;domain=.*************;HttpOnly
set-cookie: JSESSIONMARKID=(J2EE2816900)ID1049281650DB414bde284b5152939d4cf5487d21ccc0cffd7091End; Version=1; Path=/; Secure; HttpOnly
location: https://hosthttps://host/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default:443/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default
content-length: 0
date: Wed, 28 May 2014 05:27:09 GMT
set-cookie: com.sap.engine.security.authentication.original_application_url=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

This is the reponse which we are able to capture and now again we can login , using wrong user name and wrong password usingĀ  burp suite tool intercept the response and replaing the above response we are able to login.

Here we are not able to restrict this particular stage.

is there any solution to stop this please suggest us..

Regards

Govardan Raj S

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    May 28, 2014 at 07:13 AM

    Hi,

    what you describe above is a man in the middle attack. This is usually countered by using SSL to encrypt the traffic. Actually, the system will not even try to evaluate the username and password supplied, as you have all the info identifiying the users session at hand and therefor the system believes, this is a valid session of the user, which had just been authenticated using his credentials.

    For more info on how to protect your system, I'd recommend to read 'Protectiing SAP Apps' as it gives some background info and furhter tips on how to secure your system. In addition, you can always check the security guides.

    Kind regards,

    Patrick

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member govardan raj

      Hi Raj,

      there are only two solutions. Stop using Burp on the proxy servers, as this not only allows for tampering password info but ALL information passwd through (i.e. change business data like account details in invoices) or use an other authentication scheme like SAML2 with an external IdP or some Hardware based token with feedback channel which is not using the tracked SSL proxies.

      Please be aware, that as long as you are able to directly intercept into the communication between the client and the server, everything that is not digitally singed by the sender can not be trusted by the receiver. However a solution to digitally sign every message in HTTP based communications (not the channel but the message itself) is not known to me for standard HTTP based communications. Also this would require changes to both the browser and the server.

      Regards,

      Patrick