OWASP Khartoum                                                                              The OWASP Foundation6TH   Meet...
ToC• Definition.• Impact.• Environments Affected.• BA-SM in the wiled.• Demo time.• How to Protect Yourself.• Warp Up.• Q ...
Definition   Authentication is the process ofverification that an individual or an entity iswho it claims to be. (by submi...
OWASP Risk Rating #                      4
Impact  May allow some or even all accounts tobe attacked.  Once successful, the attacker can doanything the victim could ...
Environments Affected  All known web servers, applicationservers, and web application environmentsare susceptible to broke...
//BAD - DONT USE    public boolean login(String username, Stringpassword)    {    boolean isAuthenticated = true;    try {...
In the wield..- Timeouts.- ID in URL.- Credential Storage.   Methodologies: XSS, CSRF (Sessionriding attack), SQL injectio...
It is Demo Time..            Let us break something…                                      9
How to Protect Yourself  Don’t implement it by your self, OR  Define , Document, Enforce clear site’spolicy, THEN  Check t...
Prevention Cont.  Passwords (Strength, Use, ChangeControls, Recover and Storage).  Protecting Credentials in Transit.  Ses...
OWASP Recommended  Meet all requirements defined inOWASP’s ASVS areas V2 (Authentication)and V3 (Session Management).  Hav...
Summary &Conclusion
The OWASP Foundation                                                                                                    ht...
Ref.• ASVS requirements areas for Authentication (V2) andSession Management (V3)• OWASP Authentication Cheat Sheet• ESAPI ...
Q&A      17
Upcoming SlideShare
Loading in …5
×

OWASP Khartoum Top 10 A3 - 6th meeting

677 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
677
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
  • OWASP Khartoum Top 10 A3 - 6th meeting

    1. 1. OWASP Khartoum The OWASP Foundation6TH Meeting 4 Aug 2012 http://www.owasp.org Top 10:A3 Broken Authentication and Session Management Obay Osman Ahmed OWASP Khartoum Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
    2. 2. ToC• Definition.• Impact.• Environments Affected.• BA-SM in the wiled.• Demo time.• How to Protect Yourself.• Warp Up.• Q & A. 2
    3. 3. Definition Authentication is the process ofverification that an individual or an entity iswho it claims to be. (by submitting a username or ID and one or more items of privateinformation that only a given user shouldknow). Session Management is a process bywhich a server maintains the state of anentity interacting with it. (by a sessionidentifier) 3
    4. 4. OWASP Risk Rating # 4
    5. 5. Impact May allow some or even all accounts tobe attacked. Once successful, the attacker can doanything the victim could do. #Privileged accounts are frequentlytargeted. 5
    6. 6. Environments Affected All known web servers, applicationservers, and web application environmentsare susceptible to broken authenticationand session management issues. 6
    7. 7. //BAD - DONT USE public boolean login(String username, Stringpassword) { boolean isAuthenticated = true; try { //make calls to backend to actually perform login against datastore if (! authenticationSuccess) { isAuthenticated = false; } } catch (Exception e) { //handle exc } return isAuthenticated; } 7
    8. 8. In the wield..- Timeouts.- ID in URL.- Credential Storage. Methodologies: XSS, CSRF (Sessionriding attack), SQL injection, Sessionfixation…. 8
    9. 9. It is Demo Time.. Let us break something… 9
    10. 10. How to Protect Yourself Don’t implement it by your self, OR Define , Document, Enforce clear site’spolicy, THEN Check this critical areas: “It is foolish to think that you’ll do betteron your first try”. 10
    11. 11. Prevention Cont. Passwords (Strength, Use, ChangeControls, Recover and Storage). Protecting Credentials in Transit. Session ID Protection. Account Lists. Browser Caching. Trust Relationships. 11
    12. 12. OWASP Recommended Meet all requirements defined inOWASP’s ASVS areas V2 (Authentication)and V3 (Session Management). Have a simple interface for developers.Consider the ESAPI Authenticator and UserAPIs as good examples to emulate, use, orbuild upon. 12
    13. 13. Summary &Conclusion
    14. 14. The OWASP Foundation http://www.owasp.orgOWASP Top 10 2010:A1 –InjectionA2 –Cross-Site Scripting (XSS)A3 –Broken Authentication and Session ManagementA4 –Insecure Direct Object ReferenceA5 –Cross Site Request Forgery (CSRF)A6 –Security Misconfiguration(NEW)A7 –Insecure Cryptographic StorageA8 –Failure to Restrict URL AccessA9 –Insufficient Transport Layer ProtectionA10 –Unvalidated Redirects and Forwards (NEW) Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
    15. 15. Ref.• ASVS requirements areas for Authentication (V2) andSession Management (V3)• OWASP Authentication Cheat Sheet• ESAPI Authenticator API• ESAPI User API• OWASP Development Guide: Chapter on authentication• OWASP Testing Guide: Chapter on Authentication
    16. 16. Q&A 17

    ×