How to Avert Authentication Bypass Vulnerabilities for Self-hosted Web Infrastructure

strongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

When it comes to self-hosting critical web infrastructure, modern security requires more than simply siloing an appliance to a local network. In this article, we will discuss new methods for authentication bypass vulnerabilities, simplify end-user experiences, and satisfy compliance requirements—without the need for legacy VPN solutions. Here’s how.

Pros and Cons of Self-hosted Web Infrastructure

Two recent CVEs from Atlassian products remind us how important it is to bake security mitigations into our self-hosted tools right from the get-go. These CVEs disclose vulnerabilities that bypass authentication completely, meaning any relevant server on a publicly accessible IP is at risk of compromise until they are patched. 

Certain tools will always assume inherent risk simply due to the nature of their hosted data or operational capacity. These may include engineering code repositories, CI/CD appliances, internal admin consoles, infrastructure monitoring tools, or even data science dashboards that query against production data. Such tools have audiences with varying degrees of technical abilities, and they all require a high level of protection. 

While these tools are often business-critical, they are also highly sensitive when it comes to the granted privilege or confidential company IP involved. Given these considerations, many organizations make the decision to maintain a certain level of direct control and mandate they be self-hosted in their own data center or cloud account. 

Self-hosting does provide more direct control, but it also means more direct responsibility and in most cases more maintenance. Even the most mature vendor software can fall subject to serious vulnerabilities and require swift action to avoid compromise. With hosted software, the vendor must take care of it. When self-hosting, that responsibility lies with the user. 

Anticipate Worst-Case Scenarios

A full auth bypass exploit, like the ones mentioned above, can be a worst-case scenario for many security teams. For those that are self-hosting the application on a publicly accessible IP, this means likely being compromised prior to any public disclosure. For those that implement a few additional protections, this means simply updating some packages on a server in an off-schedule deployment. 

So how do teams anticipate and plan for scenarios when the stakes are so high? After all, the vendor in question may be ubiquitous, may have passed the internal vendor review process with flying colors, and may fit the bill by all other measures.  

One answer is to practice defense in depth and bake in mitigations into that tool’s deployment architecture. CVEs are an unfortunate fact of life even for the largest software teams, and security is a shared responsibility. Luckily, there are many ways to mitigate potential attacks.

Ensure that self-hosting is necessary

Is self-hosting this tool a true business need? Overzealous teams may introduce new attack vectors simply by assuming too much responsibility too quickly. Before you assume the obligation of self-hosting, ensure that it is necessary for the resources in question. 

For example, it may be tough to require the sales team to upload their general reports solely through the AWS CLI directly into S3 without leaking access keys. Google Drive may serve just fine. And Google likely has more engineers dedicated to protecting Google Drive than the startup in question may have on their entire engineering team.

Prevent direct exposure

Ensure that self-hosted tools of this nature are not exposed directly to the public internet. In today’s reality of continuous automated scanners looking for easy exploits, simply not having a publicly accessible IP address can do most of the heavy lifting when reducing the attack surface. 

Eliminate needless friction

Finally, take a look at your added layers of protection. Do they create challenges for employees who require access? Can less-technical teams and remote workers connect to the systems they need to perform their jobs? Legacy solutions such as clunky VPNs and neglected jump-hosts ignore usability for non-technical users and often end up more of a blocker than a solution. 

Enter, the Identity Aware Proxy

An Identity Aware Proxy (IAP) goes beyond simply siloing an appliance to a local network. 

An Identity Aware Proxy simultaneously:

  • Scans for targets by isolating sensitive resources within company networks
  • Eliminates the need for legacy VPN solutions
  • Authenticates users prior to providing network access to sensitive resources
  • Provides audit logging of all user access activity
  • Enables request-based access flows as needed
  • Offers ease of use even for non-engineering applications

strongDM can protect self-hosted web pages and provide ease of access to end users via an IAP. This feature can help you avoid scenarios like the full auth bypass vulnerability described above, allowing organizations to put highly confidential documentation into portals, admin panels, dashboards, and related tooling. 

Implementing this feature of strongDM not only confers all of the benefits of an IAP but also aids in fending off attacks, improves the user experience, and satisfies compliance requirements. 

Want to see it in action? Sign up for a demo today.


About the Author

, Technical Account Manager, has helped enterprise organizations navigate through complex technical deployments, helped startups build their security programs, and developed custom-fit implementation solutions for security operations tooling. He thrives on guiding people and businesses toward secure, resilient infrastructure architecture design. To contact John, visit him on LinkedIn.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Authentication Vulnerabilities
11 Common Authentication Vulnerabilities You Need to Know
In this article, we’ll take a look at what authentication vulnerabilities are, how they emerge, and how these issues can affect your organization. Also, you’ll learn about the most common authentication-based vulnerabilities and their implications. By the end of this article, you’ll know the best practices to prevent these authentication issues and keep sensitive data safe.
What is WebAuthn? Web Authentication Explained | strongDM
What is WebAuthn? Web Authentication Explained
In this article, we will take a deep dive into WebAuthn and some of its associated authentication concepts. We’ll go over the history of WebAuthn and help you better understand the benefits and challenges of using this standard of secure authentication. By the end of this WebAuthn guide, you’ll be able to fully define the concept and grasp how to incorporate it into your organization's security program and web applications.
What is FIDO2? FIDO2 Web Authentication Explained
The Definitive Guide to FIDO2 Web Authentication
In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You’ll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. By the end of this article, you’ll have a clear understanding of how FIDO2 works, what problems it solves, whether you need FIDO2 certification, and what that certification entails.
Passwordless Authentication: Everything You Need to Know | strongDM
Passwordless Authentication: Everything You Need to Know
In this article, we dive into passwordless authentication and some of the implications of using this verification method. You’ll learn about examples of passwordless authentication solutions, whether they're secure, and how it's different from multi-factor authentication (MFA). After reading this article, you’ll have a full understanding on how passwordless authentication works and how it can address today’s cybersecurity and access management challenges.
How to Set Up SSH Passwordless Login
How to Set Up SSH Passwordless Login (Step-by-Step Tutorial)
This tutorial will walk you step by step through how to manually set up SSH passwordless login to a Linux server. These commands should work on the majority of Linux distributions, and instructions are included for modern client machines of the macOS, Windows, and Linux varieties.