• Save
Website Impersonation Attacks. Who is REALLY Behind That Mask?
Upcoming SlideShare
Loading in...5
×
 

Website Impersonation Attacks. Who is REALLY Behind That Mask?

on

  • 3,901 views

More Hacker Hotshots: http://www.concise-courses.com/ ...

More Hacker Hotshots: http://www.concise-courses.com/

In this Hacker Hotshot Hangout, Jason explains:

1. How web applications are one of the most common ways that business-critical data is made available to users, and as a result, they are also one of the most popular targets for security attacks.

2. How authentication weaknesses in web sites can be particularly disastrous, essentially allowing attackers to walk through your virtual front door to steal your critical information.

This session highlights key techniques that are used for attacking web site authentication, and will provide countermeasures to protect against such attacks.

More Hacker Hotshots: http://www.concise-courses.com/

Statistics

Views

Total Views
3,901
Views on SlideShare
3,901
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Website Impersonation Attacks. Who is REALLY Behind That Mask? Website Impersonation Attacks. Who is REALLY Behind That Mask? Presentation Transcript

  • Web-based Impersonation Attacks Who’s REALLY Behind that Mask? Jason Mortensen IT Security Architect Motorola Mobility LLC
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 2  How can you be certain that the people using your web applications are really the legitimate users? Who’s REALLY Behind That Mask? Source: Flickr, user SklathillSource: Flickr, user chrisjohnbeckett It isn’t hard to impersonate other users to web applications if authentication or session management isn’t implemented correctly
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 3  How web authentication and session management works  Attack techniques  Attacking authentication  Attacking session management  Countermeasures  Summary Agenda
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 4  HTTP is a “stateless” protocol. The server doesn’t remember anything about you after each request.  Challenge: How do you track user identity or other details across multiple page requests?  Solution: Authenticate users, then use session information (usually cookies) to track unique users How Web Authentication Works Authentication: Password provided, cookie returned Session Management: Cookie used for rest of session 1 2User Username Password1 2 Web Application Welcome!
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 5 Authentication Authentication vs. Session Management Session Management “Prove that you are who you say you are” Keeping track of a user’s activity across multiple interactions with a web application
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 6  How web authentication and session management works  Attack techniques  Attacking authentication  Attacking session management  Countermeasures  Summary Agenda
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 7  Authentication  Password guessing  Attacking password reset  SQL injection authentication bypass  Social engineering  Keystroke loggers  Network sniffing  Session management  Attacking session tokens  Cookie stealing and replay  Cross Site Request Forgery (CSRF)  Clickjacking  Session Fixation Attack Techniques
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 8 Attacking Authentication
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 9  Passwords are the most common way to authenticate to web applications  Weak passwords are a classic way that web applications are compromised Password Guessing Most Popular Passwords of 2012 (According to research by SplashData) password 123456 12345678 abc123 qwerty monkey letmein dragon 111111 baseball iloveyou trustno1 1234567 sunshine master 123123 welcome shadow ashley football jesus michael ninja mustang password1
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 10  Tools are readily available to automate web password guessing  Examples: Hydra, Brutus, and Webcracker  Word lists are available for foreign languages, terms related to sports, movies, occupations, hobbies, etc. Password Guessing Types of password guessing: Vertical One username, guessing many passwords Horizontal One password, guessing with many usernames Diagonal Many usernames, guessing with many passwords
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 11  Many web sites allow you to reset a password by answering a “secret question”  Essentially a backup password that is usually much weaker than the real password  The answers to secret questions are often easy to guess or determine  Some answers can be found using social media sites such as Facebook  1 in 80 chance of guessing answer according to one study (Bonneau, Joseph et. al., 2010) Attacking Password Reset
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 12 Attacking Password Reset Question Range of answers What is the name of your favorite pet? The top 20 dog names are Max, Buddy, Molly, Bailey, Maggie, Lucy, Jake, Rocky, Sadie, Lucky, Daisy, Jack, Sam, Shadow, Bear, Buster, Lady, Ginger, Abby, and Toby. What is your mother’s maiden name? There are approximately 25,000 common surnames; one in 10 U.S. citizens have the surname Smith, Johnson, Williams, Jones, Brown, Davis, Miller, Wilson, Moore, Taylor, Anderson, Thomas, Jackson, White, Harris, Martin, Thompson, Garcia, Martinez, Robinson, Clark, Rodriguez, Lewis, Lee, Walker, Hall, Allen, or Young. What street did you grow up on? The 15 most common street names are Second/2nd, Third/3rd, First/1st, Fourth/4th, Park, Fifth/5th, Main, Sixth/6th, Oak, Seventh/7th, Pine, Maple, Cedar, Eighth/8th, and Elm. What was the make of your first car? Most cars are built by Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler, Daewoo, Dodge, Ford, GMC, Honda, Hummer, Hyundai, Infiniti, Isuzu, Jaguar, Jeep, Kia, Land Rover, Lexus, Lincoln, Mazda, Mercedes-Benz, Mercury, Mitsubishi, Nissan, Oldsmobile, Plymouth, Pontiac, Porsche, Saab, Saturn, Subaru, Suzuki, Toyota, Volkswagen, or Volvo. What is your favorite color? There are around 100 common colors, even considering colors such as taupe, gainsboro, and fuschia. Source: Syngress.com, “Using Secret Questions”
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 13  George Bronk Example  Cyberstalking - 46 women across 17 states  Used information posted to Facebook to answer password reset questions  Broke into email accounts, then searched for nude and semi-nude photos.  Distributed nude photos to the victim’s contact list. Attacking Password Reset
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 14  Sarah Palin 2008 Email Hack Example  Personal Yahoo! email account compromised during 2008 presidential campaign  Password reset questions were based on biographical data readily available on the Internet  Birthdate  Home zip code  Where she met husband (high school) Attacking Password Reset Source: Flickr user Brett Beanan; bbeanan
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 15  SQL Injection occurs when an attacker passes database instructions in parameters that are used in database queries made by the application SQL Injection Authentication Bypass  SQL Injection can be used to bypass authentication  A popular method for bypassing authentication is to enter the following in a login field: ‘ or 1=1--
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 16 SQL Injection Authentication Bypass Database Web Application Attacker Attacker injects SQL statement into login form Application builds SQL query with user input SELECT Count(*) FROM users WHERE username='admin' AND password='' or 1=1--'" 1 2 Database returns “true” since 1=1 is evaluated for the password condition. The attacker is authenticated as admin. 3
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 17 Other Authentication Attacks  Social Engineering  Trick people into divulging confidential information  Keystroke Loggers  Software or hardware that watches everything you type (esp. passwords)  Example: Student from Bucks College that changed grades  Network Sniffing  Eavesdrop on network traffic to steal passwords or session cookies Source: celalteber; stock.xchng Source: Flickr user Lars P.
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 18 Attacking Session Management
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 19  After a user authenticates, session tokens identify the user in subsequent page requests  Session information is stored in cookies, URLs, or in hidden HTML form elements  Usually a random identifier, but some web sites store other details about the user Attacking Session Tokens Cookies URL Hidden Field http://www.example.com/en/mk?sessid=83958147 <input type=“hidden” name=“username” value=“jrholland”> Set-Cookie: userid=20459; path=/; Expires=Sun, 08-Feb-2015 01:54:39 GMT
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 20  Attackers can modify session tokens in cookies, URLs, and hidden fields  Session IDs may be predictable or guessable  Session IDs that aren’t predictable may still be guessed by brute force guessing the entire key space  Account lockout mechanisms are not triggered by brute force guessing session IDs  End result is always the same = Impersonate the legitimate user and hijack their session Attacking Session Tokens
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 21  Example  You log into an application several times and are assigned the following session IDs Attacking Session Tokens Set-Cookie: unique_id=296410995833; expires=Tuesday, 13-Aug-2013 09:50:35 GMT; path=/portal Set-Cookie: unique_id=296410995886; expires=Tuesday, 13-Aug-2013 09:50:54 GMT; path=/portal Set-Cookie: unique_id=296410995919; expires=Tuesday, 13-Aug-2013 09:51:41 GMT; path=/portal Set-Cookie: unique_id=296410995944; expires=Tuesday, 13-Aug-2013 09:53:13 GMT; path=/portal Set-Cookie: unique_id=296410995971; expires=Tuesday, 13-Aug-2013 09:54:01 GMT; path=/portal Set-Cookie: unique_id=296410996023; expires=Tuesday, 13-Aug-2013 09:54:47 GMT; path=/portal Set-Cookie: unique_id=296410996045; expires=Tuesday, 13-Aug-2013 09:55:25 GMT; path=/portal Set-Cookie: unique_id=296410996089; expires=Tuesday, 13-Aug-2013 09:57:25 GMT; path=/portal Set-Cookie: unique_id=296410996113; expires=Tuesday, 13-Aug-2013 09:58:52 GMT; path=/portal Set-Cookie: unique_id=296410996139; expires=Tuesday, 13-Aug-2013 10:01:25 GMT; path=/portal Set-Cookie: unique_id=296410996196; expires=Tuesday, 13-Aug-2013 10:02:43 GMT; path=/portal See the incrementing session ID values? Not difficult to guess other valid session IDs.
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 22  Example – Payroll system that allows employees to view their own pay information  After logging in, the system stored employee’s ID number in a cookie  Simply change ID number to view another user’s payroll information  Cookie also included an “admin=N” flag. Oops! Attacking Session Tokens Information Exposed  Full name  Social Security Number  Home address  Salary  Bonus payouts  Bank account information  Number of tax exemptions
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 23  Cookies can be stolen in several ways, including cross site scripting, network sniffing, or harvesting from other web sites (on a shared domain or corporate network)  Once stolen, the attacker replays the cookie to impersonate the legitimate user Cookie Stealing and Replay  Encrypted cookies don’t stop an attack… the attacker just needs to replay the “blob”
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 24 Cookie Stealing and Replay Victim Cross Site Scripting (XSS) Attacker http:// Attacker sends victim a URL with a malicious script embedded Victim clicks URL. Malicious script runs in the victim’s browser. http:// Victim’s Cookie Script tells victim’s browser to quietly send the attacker a copy of cookie XSS Vulnerable Site Victim’s Cookie XSS Vulnerable Site Welcome! Attacker replays the victim’s cookie and is able to impersonate the victim Steal Cookie Replay Cookie
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 25  Vulnerability that forces victims to execute unwanted actions on a web application  Leverages the victim’s authentication to perform actions  Browser takes action “in the background”, usually without the user’s knowledge that an attack occurred  The target of the attack is other users, not the vulnerable web application itself Cross Site Request Forgery (CSRF)
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 26  Samy – MySpace Worm (CSRF + XSS)  Posted Javascript code in MySpace profile – Executed each time someone viewed the profile  Code designed to add Samy as a friend, then replicate the Javascript  Over 1 million “friends” within 24 hours  Corporate document sharing web site (CSRF + XSS)  Submit Javascript in description field when uploading document  Victim’s browser instructed to grant permissions to the attacker  Attack ran silently in the background with no user interaction Cross Site Request Forgery - Examples
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 27 Other Session Related Attacks  Clickjacking  Uses transparent web page layers to trick victim into clicking a button or link on another page  Session Fixation  Allows attacker to set session ID that is then used by victim Attacker determines that example.com is vulnerable. Attacker sends the victim a link containing a fixed session ID. http://example.com/ ?SID=23456 Victim clicks the link, then logs in as normal. The app uses the fixed session ID. Attacker can use the fixed session ID to impersonate the victim. http://example.com/ ?SID=23456 Welcome! Session Fixation Clickjacking
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 28  How web authentication and session management works  Attack techniques  Attacking authentication  Attacking session management  Countermeasures  Summary Agenda
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 29 Countermeasures
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 30  Use stronger-than-password authentication  Examples include digital certificates, one time password systems, or using text messaging to send the user a one time login code  Implement strong session management practices  Session IDs must be unique and non-predictable  Use short session timeouts; 30 minutes or less is standard  Implement a logout function that cancels the session  Configure cookies to use the Secure and HttpOnly flags  Implement secure programming practices  Validate all input for type, length, acceptable values, and encode all output  Use stored procedures instead of building SQL strings in code  Implement secure password reset functions  Use the OWASP Developer Guide from owasp.org Key Countermeasures
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 31  Take action after a series of failed login attempts  Lock accounts after X failed attempts  Slow down login attempts instead, such as requiring a CAPTCHA for each subsequent password attempt  Use SSL/TLS to encrypt network traffic  Monitor audit logs  Look for patterns that indicate repeated password or session ID guessing  Use “framebusting” techniques to prevent clickjacking  Educate users about phishing, social engineering Other Countermeasures
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 32 Countermeasure Warnings Stronger-than-password Authentication Doesn’t address session management attacks, and can lead to a false sense of security Strong Session Management Use built-in session management mechanisms, as custom session management routines can be difficult to implement securely Secure Programming Practices Security needs to be built into all phases of the software development lifecycle Take Action After X Failed Logins Attackers can create a denial-of-service by intentionally causing user accounts to become locked SSL/TLS Network Encryption Encrypt the entire session to protect authentication (password) AND session tokens (cookies) Monitor Audit Logs Review audit logs regularly in order to be familiar with normal usage patterns Framebusting Techniques Not all framebusting techniques are reliable; see https://www.owasp.org/index.php/Clickjacking for recommendations Educate Users Users will often be the weakest link in any security program Countermeasure Warning
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 33 Countermeasures Summary Stronger-than-password Authentication X X X X X Strong Session Management X X Secure Programming Practices X X X X X Take Action After X Failed Logins X SSL/TLS Network Encryption X Monitor Audit Logs X X X Framebusting Techniques X Educate Users X Password Guessing SQLInjectionAuth Bypass Keystroke Loggers Network Sniffing AttackingSession Tokens CookieStealing andReplay Social Engineering Countermeasures Threats Attacking PasswordReset CrossSiteRequest Forgery Clickjacking SessionFixation Authentication Session Management
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 34  How web authentication and session management works  Attack techniques  Attacking authentication  Attacking session management  Countermeasures  Summary Agenda
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 35  There are numerous ways to attack web authentication and session management, but there are also ways to mitigate the threat  ALWAYS design security into the application from the very beginning! Summary
  • © 2013 Jason Mortensen Attacking Web Authentication - Slide 36 Questions?