I suspect there's a potential gap in the TASVS-NETWORK-2 section (Licensing & Authentication Servers). While the standard covers many aspects of client authentication to servers, there's no explicit requirement for verifying server authenticity to prevent server spoofing and man-in-the-middle attacks.
I recently found an issue with a thick client that I did a security test on. This client uses ldap as authentication therefore its sending ldap request to the server. Since no verification done on the server, I was able to spoof it using fake ldap server that i generated using a docker container.
Security Implications
Without proper server authentication verification:
- Clients may connect to malicious servers posing as legitimate authentication endpoints
- Man-in-the-middle attacks may be possible even with TLS encryption in place (TASVS-NETWORK-1.2)
- Attackers could steal credentials, hijack sessions, or inject malicious responses
I suspect there's a potential gap in the TASVS-NETWORK-2 section (Licensing & Authentication Servers). While the standard covers many aspects of client authentication to servers, there's no explicit requirement for verifying server authenticity to prevent server spoofing and man-in-the-middle attacks.
I recently found an issue with a thick client that I did a security test on. This client uses ldap as authentication therefore its sending ldap request to the server. Since no verification done on the server, I was able to spoof it using fake ldap server that i generated using a docker container.
Security Implications
Without proper server authentication verification: