Broken Authentication in Cockroachdb
How Broken Authentication Manifests in Cockroachdb
Broken Authentication in Cockroachdb environments typically occurs when applications fail to properly validate user credentials or session tokens before granting database access. This manifests in several critical ways:
- Hardcoded credentials in application code that connect to Cockroachdb without proper authentication checks
- Missing or weak session validation allowing unauthorized users to access authenticated endpoints
- Improper role-based access control where database permissions don't align with application-level authentication
- Token reuse vulnerabilities where session tokens aren't properly invalidated after logout or password changes
A common Cockroachdb-specific scenario involves applications using the root user with broad privileges for application connections. Consider this vulnerable pattern:
// VULNERABLE: Using root user with no authentication
conn, err := crdb.Connect(ctx, "postgresql://root@cockroachdb:26257/defaultdb?sslmode=disable")
if err != nil {
log.Fatal(err)
}
This approach bypasses Cockroachdb's authentication entirely by disabling SSL and using the default root user. Attackers who discover this connection string can connect directly to your database without any credentials.
Another manifestation involves improper handling of Cockroachdb's built-in authentication mechanisms. Applications might:
// VULNERABLE: Hardcoded credentials in connection string
connStr := "postgresql://app_user:password123@cockroachdb:26257/defaultdb?sslmode=require"
conn, err := crdb.Connect(ctx, connStr)
This pattern exposes credentials in source code, configuration files, or environment variables that could be leaked through version control, error logs, or memory dumps.
Session fixation attacks are particularly dangerous in Cockroachdb environments where applications maintain long-lived connections. If an attacker can predict or steal a connection token, they gain persistent access to the database:
// VULNERABLE: No session invalidation on privilege changes
func UpdatePassword(w http.ResponseWriter, r *http.Request) {
// Password updated but existing sessions remain valid
UpdateUserPassword(r.FormValue("username"), r.FormValue("new_password"))
w.Write([]byte("Password updated"))
}
The above code changes a user's password but doesn't invalidate existing database sessions, allowing attackers with stolen credentials to maintain access indefinitely.
Cockroachdb-Specific Detection
Detecting Broken Authentication in Cockroachdb requires examining both application code and database configuration. Here are Cockroachdb-specific detection methods:
Connection String Analysis
Scan your application for connection strings that bypass authentication:
# Check for disabled SSL mode
grep -r "sslmode=disable" .
# Check for root user usage
grep -r "root@" .
# Check for hardcoded credentials
grep -r "postgresql://.*:.*@" --exclude-dir=node_modules .
middleBrick's black-box scanning approach tests the unauthenticated attack surface by attempting connections with common default credentials and analyzing authentication mechanisms without requiring access to source code.
Database Role Analysis
Examine Cockroachdb roles for excessive privileges:
-- Check for overly permissive roles
SELECT
rolname,
rolcreatedb,
rolcanlogin,
rolconnlimit,
rolpassword
FROM pg_catalog.pg_roles
WHERE rolname != 'root' AND rolcreatedb = true;
-- Check for users with root-equivalent access
SHOW USERS;
Applications should use least-privilege database users rather than the root user. middleBrick's scanning identifies when applications connect with overly permissive database roles.
Authentication Bypass Testing
middleBrick actively tests for authentication bypass by:
- Attempting connections with common default credentials
- Testing for session fixation vulnerabilities
- Checking for missing authentication on sensitive endpoints
- Verifying proper session invalidation after credential changes
The scanner produces findings that map directly to OWASP API Top 10's "Broken Authentication" category, helping teams understand their risk exposure.
Cockroachdb-Specific Remediation
Fixing Broken Authentication in Cockroachdb environments requires both application-level and database-level changes. Here are Cockroachdb-specific remediation strategies:
Implement Proper Database Authentication
Always use SSL/TLS and strong authentication:
// SECURE: Using SSL with certificate authentication
conn, err := crdb.Connect(ctx, "postgresql://app_user@cockroachdb:26257/defaultdb?sslmode=require")
if err != nil {
log.Fatal(err)
}
// Or using certificate-based authentication
conn, err := crdb.Connect(ctx, "postgresql://app_user@cockroachdb:26257/defaultdb?sslmode=verify-full")
Store credentials securely using environment variables or secret management systems:
// SECURE: Using environment variables
connStr := fmt.Sprintf("postgresql://%s:%s@cockroachdb:26257/defaultdb?sslmode=require",
os.Getenv("DB_USER"),
os.Getenv("DB_PASSWORD"))
conn, err := crdb.Connect(ctx, connStr)
Apply Principle of Least Privilege
Create database users with minimal required permissions:
-- Create application-specific user with limited privileges
CREATE USER app_user WITH PASSWORD 'StrongPass!23';
-- Grant only necessary permissions
GRANT CONNECT ON DATABASE defaultdb TO app_user;
GRANT USAGE ON SCHEMA public TO app_user;
-- Grant table-specific permissions
GRANT SELECT, INSERT, UPDATE, DELETE ON table_name TO app_user;
-- Revoke unnecessary privileges
REVOKE CREATE ON SCHEMA public FROM app_user;
REVOKE ALL ON DATABASE defaultdb FROM app_user;
Implement Session Management
Properly manage database sessions in your application:
// SECURE: Session invalidation on credential changes
func UpdatePassword(w http.ResponseWriter, r *http.Request) {
username := r.FormValue("username")
newPassword := r.FormValue("new_password")
// Update password
UpdateUserPassword(username, newPassword)
// Invalidate existing sessions (application-specific)
InvalidateUserSessions(username)
// Notify Cockroachdb to invalidate cached credentials
conn.Exec("SELECT crdb_internal.invalidate_session_cache()")
w.Write([]byte("Password updated and sessions invalidated"))
}
Monitor and Audit Authentication
Enable Cockroachdb's audit logging for authentication events:
-- Enable audit logging for authentication
ALTER SYSTEM SET audit.log = 'ALL';
-- Create specific audit log for authentication events
CREATE TABLE auth_audit (
timestamp TIMESTAMP,
user TEXT,
action TEXT,
ip_address INET
);
-- Log authentication attempts
CREATE OR REPLACE FUNCTION log_auth_attempt()
RETURNS TRIGGER AS $$
BEGIN
INSERT INTO auth_audit (timestamp, user, action, ip_address)
VALUES (NOW(), current_user, TG_OP, inet_client_addr());
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
CREATE TRIGGER auth_trigger
AFTER INSERT OR UPDATE OR DELETE ON pg_auth_users
FOR EACH ROW EXECUTE FUNCTION log_auth_attempt();
middleBrick's continuous monitoring (Pro plan) can alert you when authentication patterns change or when new vulnerabilities are detected in your Cockroachdb-connected applications.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |