I have always been told that writing your own login method (e.g. validate user g

Question

I have always been told that writing your own login method (e.g. validate user given the username and password) is bad practice, and that one should reuse existing libraries for that. I have always believed that, but I am looking for practical threats in such a scenario (C#). The practical case I am looking into is customizing a login method to include the validation of a Captcha. I haven't found any existing library to do that inside the authentication logic.

One of the implications of my custom implementation is that the validation method does not return a bool, but another type. May this pose a danger?

Explanation / Answer

There are a huge number of ways that you could introduce a vulnerability by rolling your own login. A few that come to mind:

User enumeration - I've seen people who give descriptive messages when a login fails ("user does not exist", "user exists, but password was incorrect", etc.) instead of a generic "login failed" message.

Insufficient lockout policy - This would allow a malicious user to bruteforce username/passwords. This is extra dangerous if you have the User enumeration vulnerability mentioned above.

Not performing login action over HTTPS - Could allow for a man in the middle attack when someone logs in.

As I mentioned there are a number of other potential vulnerabilities that you should watch out for (SQLi, XSS, the list goes on), but the three above are common ones that I've seen in "roll your own" logins.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.