Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
KYIV 2019
AuthN & AuthZ testing:
it’s not only about the login form
QA CONFERENCE #1 IN UKRAINE
Agenda
What’s the difference
Authentication and its spectrum
Authorization and OAuth 2.0
Identity and Access Management (I...
Work at Very Good Security
Organize QA Club Lviv
Write on Medium
About me
To stop confusing it
It’s everywhere... and probably in your product
You were asked to test a login form at an interview
W...
It’s about security
A2:2017-Broken Authentication (AuthN)
A5:2017-Broken Access Control (AuthZ)
OWASP 2017 TOP 10
OWASP API Security TOP 10 (end of 2019)
A1: Broken Object Access Level Control (AuthZ)
A2: Broken Authentication (AuthN)
A...
Even big companies fu*k up: Apple
Even big companies fu*k up: Reddit
How to distinguish?
Authentication
(AuthN)
Is it really you?
Authorization
(AuthZ)
Who you are and
what you can do
Boring theory
Authentication is the process of ascertaining that somebody
really is who they claim to be.
Authorization re...
Authentication
(AuthN)
Authentication
(AuthN)
Is it really you?
Boring theory
Authentication is the act of proving an assertion, such as the
identity of a computer system user.
In contra...
AuthN spectrum
AuthN spectrum
- Passwords
- Cookies
- Single Sign-On
- Restrict Where and When Users Can Log In
- Two-Factor Authenticati...
AuthN factors
MFA (Multi-factor authentication)
Multi-factor authentication involves two or more authentication
factors (something you k...
MFA: phone-based methods
- Push-based
- QR code based
- One-time password (OTP)
- event-based
- time-based
- SMS-based ver...
MFA: phone-based methods
- Push-based
- QR code based
- One-time password (OTP)
- event-based
- time-based
- SMS-based ver...
Biometric AuthN
Single Sign-On (SSO)
Log in with a single ID and password to gain access to any of
several related systems
- reduces passw...
AuthN security
OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials
3. Weak lock out mechanism...
OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials Apple issue
3. Weak lock o...
Rainbow tables attack
Huge databases of precomputed hashes
User Password Password hash (SHA1)
Alice password 5baa61e4c9b93...
Useful links
OWASP cheat sheet http://bit.ly/2NuEqEq
Have I been pwned https://haveibeenpwned.com/
Great self-security che...
Authorization
(AuthZ)
Authorization
(AuthZ)
Who you are and
what you can do
Authorization
Authorization is the function of specifying access rights/
privileges to resources, which is related to info...
AuthZ methods
Access Control lists (ACL)
Access controls of URLs
Secure objects and methods
Access control mechanisms
● Attribute-based access control (ABAC)
● Role-based access control (RBAC)
● User-based access c...
RBAC
OAuth 2.0
OAuth 2.0
It’s an authorization delegation protocol, letting someone who
controls the a recourse allow a software applicat...
OAuth 2.0 is
...about how to get the token and how to use the token
...replaces the password-sharing antipattern with a de...
Trust on first use (TOFU) principle
Enter credentials and permissions once
Assume correct for future requests
May expire o...
Different levels of trust
Whitelist
Internal parties
Known business partners
Customer organizations
Trust frameworks
● Cen...
Tokens
Access token - indicates the rights that the client has been
delegated. Have an option to expire automatically
Refr...
Tokens
Bearer token - anyone who carries the token has the right to use it.
Scopes
A set of rights at the protected resource.
Scopes always limit what an app can do
on behalf of a user
https://auth0...
OAuth 2.0 and AuthN
OAuth doesn’t dictate the AuthN technology, and AuthZ server is
free to choose any method.
The user au...
AuthZ security
OAuth 2.0 Security
A client needs to manage securing only its own client credentials
and the user’s tokens. And the breach...
OWASP Testing Guide
1. Directory traversal/file include
2. Bypassing Authorization Schema
3. Privilege escalation
4. Insec...
Useful links
OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV
OAuth 2.0 security spec http://bit.ly/2P95zyR
IDOR test...
AuthZ + AuthN = IAM
(Identity and Access
Management)
Access Management
Authentication
● Single Sign-On
● Session Management
● Password Service
● Strong Authentication
Authoriz...
IAM best practices
- Immutable Private Identifiers / Mutable Public Identifiers
- Decouple Core Information and PII from T...
Practice time!
Try on your own
Keycloak
https://www.keycloak.org/docs/latest/getting_started/index.html
Conclusions
Authentication
(AuthN)
Is it really you?
Authorization
(AuthZ)
Who you are and
what you can do
Conclusions
For better understanding dig into system
Use heuristics to remember smth
Use cheat sheets and don’t trust your...
Practice before the next
interview
Testing challenges
http://testingchallenges.thetestingmap.org/index.php
Use `big list of naughty strings`
https://github.com/minimaxir/big-list-of-naughty-strings/
Thanks!
@diana_pinchuk
@pinchuk.diana
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Upcoming SlideShare
Loading in …5
×

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма

51 views

Published on

На собеседованиях часто спрашивают, как протестировать логин форму, и на этом знакомство большинства тестировщиков с тестированием аутентификации заканчивается.
Мы поговорим об авторизации и аутентификации (AuthN & AuthZ): в чем их отличие и как перестать их путать; какие виды AuthN & AuthZ существуют на рынке; в чем специфика работы протоколов Oauth 2.0 и OpenID; какие лучшие практики тестирования безопасности AuthN & AuthZ и где попрактиковаться в тестирования той самой логин формы.
Доклад будет полезен функциональным тестировщикам и тем, кто интересуется технологическими аспектами AuthN & AuthZ.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма

  1. 1. KYIV 2019 AuthN & AuthZ testing: it’s not only about the login form QA CONFERENCE #1 IN UKRAINE
  2. 2. Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
  3. 3. Work at Very Good Security Organize QA Club Lviv Write on Medium About me
  4. 4. To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
  5. 5. It’s about security
  6. 6. A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP 2017 TOP 10
  7. 7. OWASP API Security TOP 10 (end of 2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN) A5: Missing Function/Resource Level Access Control
  8. 8. Even big companies fu*k up: Apple
  9. 9. Even big companies fu*k up: Reddit
  10. 10. How to distinguish?
  11. 11. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  12. 12. Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
  13. 13. Authentication (AuthN)
  14. 14. Authentication (AuthN) Is it really you?
  15. 15. Boring theory Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
  16. 16. AuthN spectrum
  17. 17. AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
  18. 18. AuthN factors
  19. 19. MFA (Multi-factor authentication) Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are)
  20. 20. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification => avoid it!
  21. 21. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification Reddit issue
  22. 22. Biometric AuthN
  23. 23. Single Sign-On (SSO) Log in with a single ID and password to gain access to any of several related systems - reduces password fatigue - reduces IT costs - less time spent re-entering passwords - mitigates risk for access to 3rd-party sites
  24. 24. AuthN security
  25. 25. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  26. 26. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  27. 27. Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
  28. 28. Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
  29. 29. Authorization (AuthZ)
  30. 30. Authorization (AuthZ) Who you are and what you can do
  31. 31. Authorization Authorization is the function of specifying access rights/ privileges to resources, which is related to information security and computer security in general and to access control in particular.
  32. 32. AuthZ methods Access Control lists (ACL) Access controls of URLs Secure objects and methods
  33. 33. Access control mechanisms ● Attribute-based access control (ABAC) ● Role-based access control (RBAC) ● User-based access control (UBAC) ● Context-based access control (CBAC) ● Rule-based access control ● Time-based access control ...and a lot more
  34. 34. RBAC
  35. 35. OAuth 2.0
  36. 36. OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service
  37. 37. OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
  38. 38. Trust on first use (TOFU) principle Enter credentials and permissions once Assume correct for future requests May expire over time or user logging May apply across apps
  39. 39. Different levels of trust Whitelist Internal parties Known business partners Customer organizations Trust frameworks ● Centralized protocol ● Traditional policy management Graylist Unknown entities Trust on first use ● End user decisions ● Extensive auditing and logging ● Rules on when to move to the white or black lists Blacklist Known bad parties Attack sites ● Centralized protocol ● Traditional policy management
  40. 40. Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
  41. 41. Tokens Bearer token - anyone who carries the token has the right to use it.
  42. 42. Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
  43. 43. OAuth 2.0 and AuthN OAuth doesn’t dictate the AuthN technology, and AuthZ server is free to choose any method. The user authentication passes directly between the user (and their browser) and the AuthZ server; it’s never seen by the client application.
  44. 44. AuthZ security
  45. 45. OAuth 2.0 Security A client needs to manage securing only its own client credentials and the user’s tokens. And the breach of a single client would be bad but limited in its damage to the users of that client.
  46. 46. OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References
  47. 47. Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
  48. 48. AuthZ + AuthN = IAM (Identity and Access Management)
  49. 49. Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
  50. 50. IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Core Information and PII from Transactional Data - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
  51. 51. Practice time!
  52. 52. Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
  53. 53. Conclusions
  54. 54. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  55. 55. Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
  56. 56. Practice before the next interview
  57. 57. Testing challenges http://testingchallenges.thetestingmap.org/index.php
  58. 58. Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/
  59. 59. Thanks! @diana_pinchuk @pinchuk.diana

×