SlideShare a Scribd company logo

AusCERT 2018

Download as PPTX, PDF
Sarwar Jahan M
Sarwar Jahan M

Case Studies on "Broken Authentication and Authorization"

Technology
1 of 28
Broken Authentication & Authorization Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
Who am I ? Sarwar Jahan M. AppSec Engineer at • Secure Code Review|Web and Mobile App Security|Threat Modelling • Synack & Bugcrowd leaderboard: Top 10 researchers (2016) • Spoken at: n|uCon ’17 , HackCon #13 sarwarjahanm@outlook.com +91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm @sarwarjahanm
Agenda • Authentication? • Authorization? • Case Studies – Authentication Bypass • Case Studies – Broken Authorization and Privilege Escalation • Remediation • Q/A
Authentication
Authorization
Case Studies Authentication Bypass
Case 1: Misuse of Auth-token Login Scenario: • Valid Credential => Login status=Success & Auth-token returned in response • Wrong credential => Login status=Failed & blank Auth-token returned Attack Scenario: • Attacker (user) submits valid credential. • Intercepts the 1st Login response, copies the Auth-token & drops the response. • Sends login request with Target UserID+wrong Password. • In response, sets Login status=Success & Adds his own Auth-token value. RESULT: Attacker gets access to Victim’s account!
Case 2 – Cookie manipulation Login Scenario: User-ID in session Cookie • Successful login => App sets session cookie->user-ID (numeric value) Attack Scenario: • Attacker (user) logs in to application. • Using any cookie editor, replaces the user-ID value in cookie with that of a victim & refreshes the page. RESULT: Attacker gets access to Victim’s account!
Case 3 - Session Invalidation Login Scenario: • Multi-login allowed & Session not expired after Password reset (>3 months). Attack Scenario: • Suppose a user identifies that the account is compromised & changes the password • The active session still remains active and there was no way to invalidate the attacker’s session RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
Case 4 – Account takeover by Forgot Password functionality Password Reset Scenario: • Forgot password page gives option to select recovery option (OTP/email). • Part of the options are masked with asterisk(*). Attack Scenario: • Attacker provides victim’s user ID in forgot password page. • Selects any recovery option & using proxy tool can see and modify the OTP/email option value in request RESULT: Attacker receives recovery OTP/email and compromises the victim account
Case 5 – Authentication bypass in Mobile App Login Scenario: • On successful login, user session was stored in local /AppData/ folder (sqlite db). Attack Scenario: • After analyzing the sqlite db, it was observed that the stored session is nothing but triple encoding of the username in the format [{username}] • Attacker encodes the victim’s username thrice and pushes in the device’s AppData folder. • Opens the App in device. RESULT: Attacker gets logged in to victim’s account
Case 6 – Bypass OTP & Transfer Money from Mobile Wallet WebService Calls: • 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number • 2nd call: Recipient+Amount+OTP => Transfer money • UserID+wrong_Mobile_No => Proper Error message • Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error message Attack Scenario: • UserID+wrong_Mobile_No with symbol ~ => error message reveals Registered_Mobil_No • Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t have the OTP) • Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP • Recipient+Amount+retrieved OTP => Transaction Successful RESULT: From Step-by-step error messages, Attacker debits money from victim’s bank account
Case Studies Broken Authorization and Privilege Escalation
Case 1 - Boolean based privileges Application Design: • Application has only two privileges – Admin & normal user. • Keeps track of privilege by Boolean parameter [isAdmin/Admin/SuperManager]=[true/false]. • Admins have additional content which are unavailable for normal user. Attack Scenario: • Attacker who is a Normal low privilege user logs in with valid credential • In response body makes the Boolean value as true RESULT: Normal user gets admin privilege.
Case 2 – Role based privileges Application Design: • Application has more than two privileges. • Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant Strings (e,g, role=Manager|Admin|user). • Roles stored in cookie. Attack Scenario: • Attacker logs in as low privilege user. • Edits the cookie and changes the role value RESULT: Attacker escalates the privilege.
Case 2.1 - Design Flaw – Low priv user updates his role Application Design: • The PeopleManager (role=1) can create/edit other users with view-only role (role=2). Only super admins (role=0) can change the role of other users or delete users. PeopleManager also cannot edit his own account. Attack Scenario: • While creating a new user, PeopleManager can use proxy tool and create new users with admin priv by changing role parameter to 0. • While editing other user’s details, PeopleManager replaces the userID with his own, adds “role” parameter to the request and sets the value to 0 RESULT: Low Privilege user updates his role to Super-Admin
Case 3 - GUI Based/Client-side privilege enforcement Application Design: • Based on different roles, the application disables/hides privileged features from low privilege users E,g, Disabling/Hiding HTML elements Attack Scenario: • Using browser dev tool (F12), attacker can inspect the elements and remove the rules enforced on the basis of roles. Thus can escalate the privilege and bypass the GUI Based/Client-side privilege enforcement RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
Case 4 - IDOR to High Priv. pages, Access High Privilege functions Application Design: • High privileged pages are removed from the view for low privileged users. • Low privilege users are not provided access to sensitive/high privilege functions/features. Attack Scenarios: • Attacker either guess or finds out the high privileged pages names/references and calls the high privileged pages directly. • Attackers uses Proxy-tool and calls the high privilege function by name which they are not having access. • Because of Missing function level access control, it was possible to call and execute high privilege functions. RESULT: Attacker gets access to high privileged pages. Low privilege attacker executes High privilege function.
Case 5 - Design Flaw - user sends SPAM mail to anyone Application Design: • Normal Users can send mails only to the Team members who are available in drop down recipient list. • Only Admins can send mails to members of different team Attack Scenario: • Using proxy tool, normal user can modify the recipient address to any non team member’s address, also he can change the sender email ID RESULT: Attacker sends mail to any non-team member person on behalf of someone else (SPAMMING)
Case 6 – Deleting project by IDOR Application Design: • A normal user who is not owner can only view a project. There is no delete option for the normal user • A user can be Normal user for one project but Admin for other projects. Attack Scenario: • Normal user views the Project and copies the Project ID from URL • Normal user himself creates a Project for which he/she becomes owner • Now for this new project delete option is available • Clicks delete and using any proxy tool replaces the ProjectID with that of previous project RESULT: Normal user deleted a Project for which he/she is not owner but a normal member Responsible Disclosure: https://hackerone.com/reports/85401
Case 7 – Injecting HTML code snippet Application Design: • Low privilege normal user doesn’t have permission to add new team members Attack Scenario: • By adding the following HTML code snippet, a normal user was able to add new team members <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a> RESULT: Low Privilege normal user added New team members which he did not have privilege to do Responsible Disclosure: https://hackerone.com/reports/92050
Remediation
Remediation - Authentication Bypass Caption Check Mapping of auth-token and userID Guessable User identifier in cookie Proper Session invalidation Strong Password reset functionality Response body contains debugging error message App Data contains sensitive information
Remediation - Authorization Bypass Caption Check Map user role with session ID GUI based/Client-side privilege implementation Proper Access Control Mechanism Use IDOR Server-side validation/Business Logic validation
Questions/Suggestions: sarwarjahanm@outlook.com
AusCERT 2018

Recommended

Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorizationSarwar Jahan M
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
Project presentation
Project presentation Project presentation
Project presentation Muktadir Shoaib
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 

Recommended

Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorizationSarwar Jahan M
 
Hack applications
Hack applicationsHack applications
Hack applicationsenrizmoore
 
Project presentation
Project presentation Project presentation
Project presentation Muktadir Shoaib
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8Pavan M
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Toolgilashikwa
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docxSaimSyed1
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecyclederekhanson13
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...UiPathCommunity
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentationStanislav Spiridonov
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration GuideCodendi
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfHumphrey Humphrey
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao Birajdar
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarkingEditor Jacotech
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxAnilVhatkar
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsKasun Dharmadasa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

More Related Content

Similar to AusCERT 2018

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Toolgilashikwa
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docxSaimSyed1
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecyclederekhanson13
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App DevelopmentJoonas Westlin
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...UiPathCommunity
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2robin_bene
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration GuideCodendi
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfHumphrey Humphrey
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao Birajdar
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxAnilVhatkar
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsKasun Dharmadasa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjPavan Kumar J
 

Similar to AusCERT 2018 (20)

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

AusCERT 2018

  • 1. Broken Authentication & Authorization Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
  • 2. Who am I ? Sarwar Jahan M. AppSec Engineer at • Secure Code Review|Web and Mobile App Security|Threat Modelling • Synack & Bugcrowd leaderboard: Top 10 researchers (2016) • Spoken at: n|uCon ’17 , HackCon #13 sarwarjahanm@outlook.com +91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm @sarwarjahanm
  • 3. Agenda • Authentication? • Authorization? • Case Studies – Authentication Bypass • Case Studies – Broken Authorization and Privilege Escalation • Remediation • Q/A
  • 5.
  • 7.
  • 9. Case 1: Misuse of Auth-token Login Scenario: • Valid Credential => Login status=Success & Auth-token returned in response • Wrong credential => Login status=Failed & blank Auth-token returned Attack Scenario: • Attacker (user) submits valid credential. • Intercepts the 1st Login response, copies the Auth-token & drops the response. • Sends login request with Target UserID+wrong Password. • In response, sets Login status=Success & Adds his own Auth-token value. RESULT: Attacker gets access to Victim’s account!
  • 10. Case 2 – Cookie manipulation Login Scenario: User-ID in session Cookie • Successful login => App sets session cookie->user-ID (numeric value) Attack Scenario: • Attacker (user) logs in to application. • Using any cookie editor, replaces the user-ID value in cookie with that of a victim & refreshes the page. RESULT: Attacker gets access to Victim’s account!
  • 11. Case 3 - Session Invalidation Login Scenario: • Multi-login allowed & Session not expired after Password reset (>3 months). Attack Scenario: • Suppose a user identifies that the account is compromised & changes the password • The active session still remains active and there was no way to invalidate the attacker’s session RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
  • 12. Case 4 – Account takeover by Forgot Password functionality Password Reset Scenario: • Forgot password page gives option to select recovery option (OTP/email). • Part of the options are masked with asterisk(*). Attack Scenario: • Attacker provides victim’s user ID in forgot password page. • Selects any recovery option & using proxy tool can see and modify the OTP/email option value in request RESULT: Attacker receives recovery OTP/email and compromises the victim account
  • 13. Case 5 – Authentication bypass in Mobile App Login Scenario: • On successful login, user session was stored in local /AppData/ folder (sqlite db). Attack Scenario: • After analyzing the sqlite db, it was observed that the stored session is nothing but triple encoding of the username in the format [{username}] • Attacker encodes the victim’s username thrice and pushes in the device’s AppData folder. • Opens the App in device. RESULT: Attacker gets logged in to victim’s account
  • 14. Case 6 – Bypass OTP & Transfer Money from Mobile Wallet WebService Calls: • 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number • 2nd call: Recipient+Amount+OTP => Transfer money • UserID+wrong_Mobile_No => Proper Error message • Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error message Attack Scenario: • UserID+wrong_Mobile_No with symbol ~ => error message reveals Registered_Mobil_No • Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t have the OTP) • Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP • Recipient+Amount+retrieved OTP => Transaction Successful RESULT: From Step-by-step error messages, Attacker debits money from victim’s bank account
  • 15. Case Studies Broken Authorization and Privilege Escalation
  • 16. Case 1 - Boolean based privileges Application Design: • Application has only two privileges – Admin & normal user. • Keeps track of privilege by Boolean parameter [isAdmin/Admin/SuperManager]=[true/false]. • Admins have additional content which are unavailable for normal user. Attack Scenario: • Attacker who is a Normal low privilege user logs in with valid credential • In response body makes the Boolean value as true RESULT: Normal user gets admin privilege.
  • 17. Case 2 – Role based privileges Application Design: • Application has more than two privileges. • Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant Strings (e,g, role=Manager|Admin|user). • Roles stored in cookie. Attack Scenario: • Attacker logs in as low privilege user. • Edits the cookie and changes the role value RESULT: Attacker escalates the privilege.
  • 18. Case 2.1 - Design Flaw – Low priv user updates his role Application Design: • The PeopleManager (role=1) can create/edit other users with view-only role (role=2). Only super admins (role=0) can change the role of other users or delete users. PeopleManager also cannot edit his own account. Attack Scenario: • While creating a new user, PeopleManager can use proxy tool and create new users with admin priv by changing role parameter to 0. • While editing other user’s details, PeopleManager replaces the userID with his own, adds “role” parameter to the request and sets the value to 0 RESULT: Low Privilege user updates his role to Super-Admin
  • 19. Case 3 - GUI Based/Client-side privilege enforcement Application Design: • Based on different roles, the application disables/hides privileged features from low privilege users E,g, Disabling/Hiding HTML elements Attack Scenario: • Using browser dev tool (F12), attacker can inspect the elements and remove the rules enforced on the basis of roles. Thus can escalate the privilege and bypass the GUI Based/Client-side privilege enforcement RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
  • 20. Case 4 - IDOR to High Priv. pages, Access High Privilege functions Application Design: • High privileged pages are removed from the view for low privileged users. • Low privilege users are not provided access to sensitive/high privilege functions/features. Attack Scenarios: • Attacker either guess or finds out the high privileged pages names/references and calls the high privileged pages directly. • Attackers uses Proxy-tool and calls the high privilege function by name which they are not having access. • Because of Missing function level access control, it was possible to call and execute high privilege functions. RESULT: Attacker gets access to high privileged pages. Low privilege attacker executes High privilege function.
  • 21. Case 5 - Design Flaw - user sends SPAM mail to anyone Application Design: • Normal Users can send mails only to the Team members who are available in drop down recipient list. • Only Admins can send mails to members of different team Attack Scenario: • Using proxy tool, normal user can modify the recipient address to any non team member’s address, also he can change the sender email ID RESULT: Attacker sends mail to any non-team member person on behalf of someone else (SPAMMING)
  • 22. Case 6 – Deleting project by IDOR Application Design: • A normal user who is not owner can only view a project. There is no delete option for the normal user • A user can be Normal user for one project but Admin for other projects. Attack Scenario: • Normal user views the Project and copies the Project ID from URL • Normal user himself creates a Project for which he/she becomes owner • Now for this new project delete option is available • Clicks delete and using any proxy tool replaces the ProjectID with that of previous project RESULT: Normal user deleted a Project for which he/she is not owner but a normal member Responsible Disclosure: https://hackerone.com/reports/85401
  • 23. Case 7 – Injecting HTML code snippet Application Design: • Low privilege normal user doesn’t have permission to add new team members Attack Scenario: • By adding the following HTML code snippet, a normal user was able to add new team members <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a> RESULT: Low Privilege normal user added New team members which he did not have privilege to do Responsible Disclosure: https://hackerone.com/reports/92050
  • 25. Remediation - Authentication Bypass Caption Check Mapping of auth-token and userID Guessable User identifier in cookie Proper Session invalidation Strong Password reset functionality Response body contains debugging error message App Data contains sensitive information
  • 26. Remediation - Authorization Bypass Caption Check Map user role with session ID GUI based/Client-side privilege implementation Proper Access Control Mechanism Use IDOR Server-side validation/Business Logic validation