Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Authentication

Authentication

Section titled “Authentication”

5 automated security scanners

Single Sign-On Security

Section titled “Single Sign-On Security”

Purpose: The Single Sign-On Security Scanner is designed to assess the security of Single Sign-On (SSO) implementations by identifying and analyzing vulnerabilities in SAML, OAuth, and OpenID Connect protocols. This tool aims to detect potential risks such as assertion manipulation, token theft, CSRF attacks, session hijacking, and authentication bypass through misconfigurations.

What It Detects:

  • SSO Protocol Detection: The scanner identifies endpoints for SAML (Security Assertion Markup Language) and OAuth/OIDC (OpenID Connect) protocols. It also checks for the presence of enterprise SSO providers and social login integrations.
  • SAML Implementation Analysis: Key aspects tested include metadata endpoint discovery, assertion consumer service validation, signature validation, detection of XML signature wrapping risks, and encryption status of assertions.
  • OAuth/OIDC Security: The scanner evaluates OAuth authorization endpoints for compliance with security best practices such as state parameter usage, redirect URI validation, and support for Proof Key for Code Exchange (PKCE). It also identifies open redirect vulnerabilities that could lead to token theft.
  • Identity Provider Integration: The tool checks the compatibility of the identified SSO implementation with major identity providers like Microsoft, Google, Okta, Auth0, and OneLogin. It verifies how well these providers are integrated and handles metadata.
  • Session Management: This includes assessing session handling for risks such as session fixation and verifying the effectiveness of logout mechanisms and token revocation policies.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target application under assessment.

Business Impact: SSO implementation vulnerabilities pose significant risks to enterprise security, as they can lead to unauthorized access and data breaches if not properly secured. This scanner helps organizations identify and mitigate these risks before they are exploited by malicious actors.

Risk Levels:

  • Critical: The scanner identifies critical issues such as missing state parameters in OAuth flows or misconfigurations that allow direct API access without proper authentication, which can lead to unauthorized data exposure or complete system compromise.
  • High: High-risk findings include unvalidated redirects in OAuth implementations and weak token validation mechanisms that could be exploited for session hijacking, compromising user accounts and sensitive information.
  • Medium: Medium risk issues involve potential risks such as misconfigured IdP metadata handling and lack of PKCE support in OAuth flows, which can lead to vulnerabilities exploitable by less sophisticated attackers but still pose significant security threats.
  • Low: Low-risk findings include the presence of SSO without critical vulnerabilities but indicate a need for continuous monitoring and improvement in authentication practices.
  • Info: Informational risk levels pertain to scenarios where certain configurations or features are present but do not directly impact security unless combined with other factors, suggesting ongoing evaluation and potential enhancements based on evolving threat landscapes.

Example Findings:

  1. A detected SAML implementation lacks a metadata endpoint, which is crucial for external identity providers to configure trust relationships securely.
  2. An OAuth flow does not enforce the use of PKCE, making it susceptible to attacks through phishing or man-in-the-middle techniques that could steal authentication tokens.

This user-facing documentation provides a clear and concise overview of the purpose and capabilities of the Single Sign-On Security Scanner, detailing what it detects, the inputs required for operation, its business impact, and potential risk levels based on findings.

Social Login Security

Section titled “Social Login Security”

Purpose: The Social Login Security Scanner evaluates social login implementation security by detecting OAuth provider integration, testing redirect URI validation, analyzing token handling, checking for account linking vulnerabilities, and identifying weaknesses in third-party authentication that could enable account takeover or unauthorized access.

What It Detects:

  • Identify “Sign in with Google” buttons and other social login providers.
  • Test OAuth authorization flow and check redirect URI validation.
  • Verify state parameter usage and test nonce implementation.
  • Analyze requested OAuth scopes and check for excessive permissions.
  • Test access token handling, including token storage security and verification of token expiration.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com)

Business Impact: Social login vulnerabilities create significant authentication bypass risks that can lead to unauthorized access or account takeover. These issues must be addressed to maintain a secure authentication process for users.

Risk Levels:

  • Critical: Open redirect in OAuth callback enables token theft, allowing attackers to gain unauthorized access by intercepting tokens.
  • High: Missing state parameter allows CSRF attacks, exposing users to potential account takeover scenarios.
  • Medium: Weak account linking can be exploited for account takeover if not properly secured.
  • Low: Insufficient scope validation may expose user data beyond the minimum required permissions.
  • Info: Email verification is a minimal requirement to prevent impersonation during social login.

Example Findings:

  • A website allows users to log in with Google without verifying the integrity of the redirect URI, making it susceptible to token theft via open redirects.
  • An application does not enforce unique identifiers when linking accounts, which could be exploited by an attacker to merge accounts and gain unauthorized access.

Biometric Authentication

Section titled “Biometric Authentication”

Purpose: The Biometric Authentication Scanner is designed to evaluate the effectiveness of biometric authentication implementations by assessing various aspects such as WebAuthn/FIDO2 support, biometric enrollment flows, authentication mechanisms, fallback methods, and client-side implementation. This tool aims to identify potential vulnerabilities that could lead to bypass attacks or credential theft.

What It Detects:

  • WebAuthn/FIDO2 Detection: The scanner checks for WebAuthn credential creation endpoints, FIDO2 assertion requests, and verifies support for PublicKeyCredential. It also detects the presence of WebAuthn and FIDO2 implementation on the platform.
  • Biometric Enrollment Flow: It identifies biometric registration pages, tests enrollment API endpoints, checks for biometric setup options, and verifies the security measures in place during enrollment.
  • Authentication Mechanism Analysis: The scanner evaluates biometric authentication endpoints, detects passkey support, verifies platform authenticator detection, and tests external authenticator support.
  • Fallback Authentication Testing: It checks for password fallback methods, tests SMS/email backup codes, verifies recovery mechanisms, and identifies multi-factor fallback options.
  • Client-Side Implementation Review: The scanner analyzes JavaScript code to identify WebAuthn calls, checks the usage of credential management APIs, detects biometric API references, and verifies secure storage practices.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target website for the biometric authentication evaluation.

Business Impact: Biometric authentication vulnerabilities pose significant risks to user accounts, as they can lead to unauthorized access and potential loss of sensitive information. Weak implementations may result in users being locked out on biometric failure or exposure of unencrypted biometric data through templates, enabling phishing attacks and spoofing.

Risk Levels:

  • Critical: This severity level applies if the scanner identifies critical issues such as missing fallback methods that lock out users on biometric failure or weak WebAuthn implementation enabling phishing attacks.
  • High: Applies when unencrypted biometric data transmission exposes templates or lacks liveness detection, allowing spoofing attacks and poor error handling that leaks authentication state.
  • Medium: Indicates vulnerabilities where recovery mechanisms are not adequately verified or if platform authenticator detection is compromised.
  • Low: Informs about informational findings such as missing WebAuthn/FIDO2 support or incomplete biometric API references in the client-side implementation.
  • Info: Used for findings that do not necessarily impact security but provide insights into the current state of biometric authentication on the target platform.

Example Findings:

  1. The scanner detects a missing fallback method, which could lead to significant inconvenience and potential account compromise if users are locked out due to biometric failure.
  2. Weak WebAuthn implementation is identified, allowing for phishing attacks that bypass traditional security measures relying solely on biometrics.

This documentation provides a clear overview of the Biometric Authentication Scanner’s purpose, what it detects, required inputs, business impact, risk levels, and example findings. It uses professional security terminology to describe potential vulnerabilities and safeguards against unauthorized access through biometric authentication implementations.

MFA Implementation Security

Section titled “MFA Implementation Security”

Purpose: The MFA Implementation Security Scanner is designed to assess the strength of multi-factor authentication (MFA) systems by evaluating various aspects such as availability, enforcement, TOTP support, backup code generation, and potential bypass vulnerabilities. This tool aims to identify weaknesses in MFA implementations that could lead to unauthorized access even when multiple layers of security are supposed to be in place.

What It Detects:

  • MFA Availability Detection: The scanner checks for the presence of multi-factor authentication options, identifies support for TOTP (Time-based One-time Password) and authenticator apps, tests for SMS and email-based two-factor authentication, and flags any pages related to MFA enrollment.
  • MFA Enforcement Analysis: It evaluates whether MFA is optional or mandatory during the authentication process, verifies its presence on sensitive operations, and examines how well it handles remembered devices and conditional enforcement across different sessions.
  • TOTP Implementation Testing: The scanner tests for QR code generation to set up TOTP, checks handling of secret keys used in this method, validates time-based codes against the server’s implementation, and ensures that there is no reuse or predictable patterns in generated codes.
  • Backup Code Security: It assesses the complexity requirements for backup codes, confirms their single-use nature, examines how these codes are stored to prevent brute-force attacks, and identifies any weaknesses in the security mechanisms around them.
  • MFA Bypass Testing: The scanner explores methods by which MFA can be potentially bypassed after initial login, including session persistence issues and potential vulnerabilities related to cookie manipulation or bypassing specific authentication points like password reset.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target system under assessment. This is essential for making HTTP requests to gather information about MFA setup and configuration on the specified platform.

Business Impact: The failure to enforce robust multi-factor authentication can significantly undermine an organization’s security posture by allowing unauthenticated access using only a user’s password. Additionally, weaknesses in SMS or email-based two-factor mechanisms can be exploited through various attacks such as SIM swapping and brute-force attacks on backup codes. These vulnerabilities pose serious risks to the confidentiality, integrity, and availability of sensitive information stored within systems protected by MFA.

Risk Levels:

  • Critical: Missing enforcement of multi-factor authentication allows unauthenticated access using only a password, which is highly risky if the system handles critical data or operates in environments where compliance with security standards is mandatory.
  • High: Vulnerabilities in TOTP implementation (like weak secret handling) and backup code security (such as lack of complexity requirements or improper storage) can be exploited to bypass MFA, posing significant risks for systems that handle sensitive information.
  • Medium: Issues such as optional rather than mandatory MFA enforcement, inadequate testing of session persistence, or failure to detect cookie manipulation could lead to reduced security effectiveness but are still considered serious if not addressed promptly.
  • Low: Informational findings might include the presence of MFA without actual enforcement on some operations or minor issues in TOTP configuration that do not significantly impact overall security unless exploited.

Example Findings:

  1. “MFA available but not enforced: The system detects multi-factor options, but authentication does not require it.”
  2. “Weak backup code mechanism: Backup codes are offered without strict complexity requirements or storage safeguards against brute-force attacks.”

This scanner is crucial for organizations aiming to enhance the security of their digital assets by ensuring that MFA is effectively implemented and continuously monitored for potential weaknesses.

Passwordless Authentication

Section titled “Passwordless Authentication”

Purpose: The Passwordless Authentication Scanner evaluates passwordless authentication implementations to identify vulnerabilities that could enable account takeover or authentication bypass. It focuses on detecting magic link systems, testing email-based authentication, analyzing WebAuthn passwordless flows, validating SMS authentication security, and assessing the overall robustness of these mechanisms.

What It Detects:

  • Passwordless Method Detection: Identifies whether a system uses magic links for authentication, detects if it supports login via email or phone with an SMS code, checks for WebAuthn passwordless capabilities, and flags any available passwordless options.
  • Magic Link Implementation: Tests the endpoints responsible for generating magic links to ensure they are secure, including checking link expiration mechanisms and enforcing one-time use. It also verifies the randomness of token generation in these links.
  • Email Authentication Security: Evaluates the flow used to verify email addresses during login, tests rate limiting on email sends, ensures sender authentication (SPF/DKIM), checks for potential enumeration vulnerabilities, and identifies clickjacking risks.
  • SMS Authentication Analysis: Analyzes how SMS codes are delivered, examines code expiration times, verifies their complexity, tests for rate limiting, and assesses the risk of enumeration attacks through these channels.
  • Token Security Validation: Investigates patterns used to generate tokens, checks their length and entropy, flags any predictable tokens, ensures secure transmission methods, and evaluates token revocation mechanisms for protection against reuse.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target system to be tested.

Business Impact: Passwordless authentication is a critical component of modern digital security, reducing friction for users while maintaining robust security practices. However, vulnerabilities in this area can lead to significant risks such as unauthorized access and data breaches. This scanner helps organizations identify weaknesses in their passwordless implementation, enabling them to take proactive measures to enhance security posture against potential attacks.

Risk Levels:

  • Critical: Unencrypted magic links that enable session hijacking pose a critical risk, allowing attackers to gain unauthorized access without requiring the user’s current password.
  • High: Email-based authentication vulnerabilities such as account compromise and lack of sender authentication (SPF/DKIM) can lead to high risks if exploited by malicious actors.
  • Medium: Weak token generation mechanisms that are predictable or have inadequate entropy levels represent medium risk, potentially allowing attackers to exploit these weaknesses through prediction attacks.
  • Low: While not as severe, issues such as insecure link parameters and clickjacking vulnerabilities on email interfaces can still pose a low risk if they are mitigated appropriately.
  • Info: Informational findings like rate limiting detection primarily provide context about system performance but do not directly impact security unless abused or misconfigured.

Example Findings:

  1. A detected magic link endpoint does not enforce expiration, allowing previously used tokens to be reused for authentication.
  2. The email verification process lacks SPF and DKIM authentication, making it susceptible to sender forgery attacks.