Differentiating unknown user and known user with wrong password ?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Differentiating unknown user and known user with wrong password ?

Mani, Vellingiri (Nokia - IN)

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?

 

Regards,

Vellingiri

Reply | Threaded
Open this post in threaded view
|

Re: Differentiating unknown user and known user with wrong password ?

ilgrosso
Administrator
On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.
-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|

RE: Differentiating unknown user and known user with wrong password ?

Mani, Vellingiri (Nokia - IN)

Hi Francesco,

 

I understand. For suspended user, the response is 401. Is it for the same reason ?

 

Regards,

Vellingiri

 

From: Francesco Chicchiriccò [mailto:[hidden email]]
Sent: Monday, October 24, 2016 12:44 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statues, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|

Re: Differentiating unknown user and known user with wrong password ?

Francesco Chicchiriccò-2
On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:

Hi Francesco,

 

I understand. For suspended user, the response is 401. Is it for the same reason ?


Not quite: this is because of the authentication.statuses configuration parameter

https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves.

HTH
Regards.

From: Francesco Chicchiriccò [[hidden email]]

Sent: Monday, October 24, 2016 12:44 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.

-- 
Francesco Chicchiriccò
Tel +393290573276

Amministratore unico @ Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

"To Iterate is Human, to Recurse, Divine"
(James O. Coplien, Bell Labs)
Reply | Threaded
Open this post in threaded view
|

Re: Differentiating unknown user and known user with wrong password ?

ilgrosso
Administrator
In reply to this post by Mani, Vellingiri (Nokia - IN)
On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:

Hi Francesco,

 

I understand. For suspended user, the response is 401. Is it for the same reason ?


Not quite: this is because of the authentication.statuses configuration parameter

https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves.

HTH
Regards.

From: Francesco Chicchiriccò [[hidden email]]

Sent: Monday, October 24, 2016 12:44 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|

RE: Differentiating unknown user and known user with wrong password ?

Mani, Vellingiri (Nokia - IN)

Hi Francesco,

 

I added suspended to authentication.statuses parameter but still the response is  “401 Unauthorized”.

 

 

Regards,

Vellingiri

 

From: Francesco Chicchiriccò [mailto:[hidden email]]
Sent: Monday, October 24, 2016 8:30 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:

Hi Francesco,

 

I understand. For suspended user, the response is 401. Is it for the same reason ?


Not quite: this is because of the authentication.statuses configuration parameter

https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves.

HTH
Regards.


From: Francesco Chicchiriccò [[hidden email]]

Sent: Monday, October 24, 2016 12:44 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.

-- 
Francesco Chicchiriccò
 
Tirasa - Open Source Excellence
http://www.tirasa.net/
 
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
Reply | Threaded
Open this post in threaded view
|

Re: Differentiating unknown user and known user with wrong password ?

ilgrosso
Administrator
On 25/10/2016 09:18, Mani, Vellingiri (Nokia - IN) wrote:

Hi Francesco,

 

I added suspended to authentication.statuses parameter but still the response is  “401 Unauthorized”.


Sorry, my bad: I did not check the actual code, e.g.

https://github.com/apache/syncope/blob/syncope-2.0.1/core/spring/src/main/java/org/apache/syncope/core/spring/security/AuthDataAccessor.java#L138-L145

which first forbids accessing when suspended then checks for authentication.statuses.

I have also added a warning about this to the SNAPSHOT docs:

https://ci.apache.org/projects/syncope/reference-guide.html#configuration-parameters

Hope this clarifies.
Regards.

From: Francesco Chicchiriccò [[hidden email]]
Sent: Monday, October 24, 2016 8:30 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 24/10/2016 16:52, Mani, Vellingiri (Nokia - IN) wrote:

Hi Francesco,

 

I understand. For suspended user, the response is 401. Is it for the same reason ?


Not quite: this is because of the authentication.statuses configuration parameter

https://syncope.apache.org/docs/reference-guide.html#configuration-parameters

which does not contain 'suspended' by default; when you add it to the list of supported statues for authentication, suspended users will be able to authenticate themselves.

HTH
Regards.


From: Francesco Chicchiriccò [[hidden email]]

Sent: Monday, October 24, 2016 12:44 PM
To: [hidden email]
Subject: Re: Differentiating unknown user and known user with wrong password ?

 

On 22/10/2016 16:59, Mani, Vellingiri (Nokia - IN) wrote:

Hi,

 

Same response code(401) from Syncope during self-authentication [1] for both unknown user and known user with wrong password.

[1] http://10.10.10.10:8080/syncope/rest/users/self

 

How can we distinguish between the unknown user and the known user with wrong password ?


This is on purpose: if there were different HTTP statuses, an attacker could exploit it to enumerate the existing users.

Having said that, and even if I would not advice it, there is the chance to override such behaviour - in Syncope there is always a mean to override ;-) - by tweaking the Spring Security configuration: see some recent e-mail about this topic for more details.

Regards.


-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/