SlideShare a Scribd company logo

AusCERT 2018

Download as PPTX, PDF
Sarwar Jahan M
Sarwar Jahan M

The document discusses common issues with broken authentication and authorization in web applications. It provides several case studies of authentication bypass vulnerabilities, including misusing authentication tokens, cookie manipulation, failing to invalidate sessions after password resets, and account takeover through password reset functionality. It also examines cases of broken authorization and privilege escalation, such as updating boolean or role-based privileges, bypassing client-side checks, directly accessing privileged pages, allowing low-privileged users to perform privileged actions, and deleting resources through IDOR. Remediation strategies are proposed, such as strengthening authentication tokens and sessions, implementing server-side access controls, and preventing debugging information leaks.

1 of 28
Broken Authentication & Authorization Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
Who am I ? Sarwar Jahan M. AppSec Engineer at • Secure Code Review|Web and Mobile App Security|Threat Modelling • Synack & Bugcrowd leaderboard: Top 10 researchers (2016) • Spoken at: n|uCon ’17 , HackCon #13 sarwarjahanm@outlook.com +91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm @sarwarjahanm
Agenda • Authentication? • Authorization? • Case Studies – Authentication Bypass • Case Studies – Broken Authorization and Privilege Escalation • Remediation • Q/A
Authentication
Authorization
Case Studies Authentication Bypass
Case 1: Misuse of Auth-token Login Scenario: • Valid Credential => Login status=Success & Auth-token returned in response • Wrong credential => Login status=Failed & blank Auth-token returned Attack Scenario: • Attacker (user) submits valid credential. • Intercepts the 1st Login response, copies the Auth-token & drops the response. • Sends login request with Target UserID+wrong Password. • In response, sets Login status=Success & Adds his own Auth-token value. RESULT: Attacker gets access to Victim’s account!
Case 2 – Cookie manipulation Login Scenario: User-ID in session Cookie • Successful login => App sets session cookie->user-ID (numeric value) Attack Scenario: • Attacker (user) logs in to application. • Using any cookie editor, replaces the user-ID value in cookie with that of a victim & refreshes the page. RESULT: Attacker gets access to Victim’s account!
Case 3 - Session Invalidation Login Scenario: • Multi-login allowed & Session not expired after Password reset (>3 months). Attack Scenario: • Suppose a user identifies that the account is compromised & changes the password • The active session still remains active and there was no way to invalidate the attacker’s session RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
Case 4 – Account takeover by Forgot Password functionality Password Reset Scenario: • Forgot password page gives option to select recovery option (OTP/email). • Part of the options are masked with asterisk(*). Attack Scenario: • Attacker provides victim’s user ID in forgot password page. • Selects any recovery option & using proxy tool can see and modify the OTP/email option value in request RESULT: Attacker receives recovery OTP/email and compromises the victim account
Case 5 – Authentication bypass in Mobile App Login Scenario: • On successful login, user session was stored in local /AppData/ folder (sqlite db). Attack Scenario: • After analyzing the sqlite db, it was observed that the stored session is nothing but triple encoding of the username in the format [{username}] • Attacker encodes the victim’s username thrice and pushes in the device’s AppData folder. • Opens the App in device. RESULT: Attacker gets logged in to victim’s account
Case 6 – Bypass OTP & Transfer Money from Mobile Wallet WebService Calls: • 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number • 2nd call: Recipient+Amount+OTP => Transfer money • UserID+wrong_Mobile_No => Proper Error message • Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error message Attack Scenario: • UserID+wrong_Mobile_No with symbol ~ => error message reveals Registered_Mobil_No • Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t have the OTP) • Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP • Recipient+Amount+retrieved OTP => Transaction Successful RESULT: From Step-by-step error messages, Attacker debits money from victim’s bank account
Case Studies Broken Authorization and Privilege Escalation
Case 1 - Boolean based privileges Application Design: • Application has only two privileges – Admin & normal user. • Keeps track of privilege by Boolean parameter [isAdmin/Admin/SuperManager]=[true/false]. • Admins have additional content which are unavailable for normal user. Attack Scenario: • Attacker who is a Normal low privilege user logs in with valid credential • In response body makes the Boolean value as true RESULT: Normal user gets admin privilege.
Case 2 – Role based privileges Application Design: • Application has more than two privileges. • Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant Strings (e,g, role=Manager|Admin|user). • Roles stored in cookie. Attack Scenario: • Attacker logs in as low privilege user. • Edits the cookie and changes the role value RESULT: Attacker escalates the privilege.
Case 2.1 - Design Flaw – Low priv user updates his role Application Design: • The PeopleManager (role=1) can create/edit other users with view-only role (role=2). Only super admins (role=0) can change the role of other users or delete users. PeopleManager also cannot edit his own account. Attack Scenario: • While creating a new user, PeopleManager can use proxy tool and create new users with admin priv by changing role parameter to 0. • While editing other user’s details, PeopleManager replaces the userID with his own, adds “role” parameter to the request and sets the value to 0 RESULT: Low Privilege user updates his role to Super-Admin
Case 3 - GUI Based/Client-side privilege enforcement Application Design: • Based on different roles, the application disables/hides privileged features from low privilege users E,g, Disabling/Hiding HTML elements Attack Scenario: • Using browser dev tool (F12), attacker can inspect the elements and remove the rules enforced on the basis of roles. Thus can escalate the privilege and bypass the GUI Based/Client-side privilege enforcement RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
Case 4 - IDOR to High Priv. pages, Access High Privilege functions Application Design: • High privileged pages are removed from the view for low privileged users. • Low privilege users are not provided access to sensitive/high privilege functions/features. Attack Scenarios: • Attacker either guess or finds out the high privileged pages names/references and calls the high privileged pages directly. • Attackers uses Proxy-tool and calls the high privilege function by name which they are not having access. • Because of Missing function level access control, it was possible to call and execute high privilege functions. RESULT: Attacker gets access to high privileged pages. Low privilege attacker executes High privilege function.
Case 5 - Design Flaw - user sends SPAM mail to anyone Application Design: • Normal Users can send mails only to the Team members who are available in drop down recipient list. • Only Admins can send mails to members of different team Attack Scenario: • Using proxy tool, normal user can modify the recipient address to any non team member’s address, also he can change the sender email ID RESULT: Attacker sends mail to any non-team member person on behalf of someone else (SPAMMING)
Case 6 – Deleting project by IDOR Application Design: • A normal user who is not owner can only view a project. There is no delete option for the normal user • A user can be Normal user for one project but Admin for other projects. Attack Scenario: • Normal user views the Project and copies the Project ID from URL • Normal user himself creates a Project for which he/she becomes owner • Now for this new project delete option is available • Clicks delete and using any proxy tool replaces the ProjectID with that of previous project RESULT: Normal user deleted a Project for which he/she is not owner but a normal member Responsible Disclosure: https://hackerone.com/reports/85401
Case 7 – Injecting HTML code snippet Application Design: • Low privilege normal user doesn’t have permission to add new team members Attack Scenario: • By adding the following HTML code snippet, a normal user was able to add new team members <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a> RESULT: Low Privilege normal user added New team members which he did not have privilege to do Responsible Disclosure: https://hackerone.com/reports/92050
Remediation
Remediation - Authentication Bypass Caption Check Mapping of auth-token and userID Guessable User identifier in cookie Proper Session invalidation Strong Password reset functionality Response body contains debugging error message App Data contains sensitive information
Remediation - Authorization Bypass Caption Check Map user role with session ID GUI based/Client-side privilege implementation Proper Access Control Mechanism Use IDOR Server-side validation/Business Logic validation
Questions/Suggestions: sarwarjahanm@outlook.com
AusCERT 2018

Recommended

Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorization
Sarwar Jahan M
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 
Project presentation
Project presentation Project presentation
Project presentation
Muktadir Shoaib
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
Vi Vek
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 

Recommended

Broken Authentication & authorization
Broken Authentication & authorizationBroken Authentication & authorization
Broken Authentication & authorization
Sarwar Jahan M
 
Hack applications
Hack applicationsHack applications
Hack applications
enrizmoore
 
Project presentation
Project presentation Project presentation
Project presentation
Muktadir Shoaib
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
Vi Vek
 
OWASP A7 and A8
OWASP A7 and A8OWASP A7 and A8
OWASP A7 and A8
Pavan M
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
Sam Bowne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
RapidValue
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
gilashikwa
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
SaimSyed1
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
derekhanson13
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
Joonas Westlin
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
UiPathCommunity
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
robin_bene
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
Stanislav Spiridonov
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
Codendi
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
Humphrey Humphrey
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
Bhaurao Birajdar
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
Editor Jacotech
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
AnilVhatkar
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 

More Related Content

Similar to AusCERT 2018

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
Sam Bowne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
RapidValue
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
gilashikwa
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
SaimSyed1
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
derekhanson13
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
Octogence
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
Joonas Westlin
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
UiPathCommunity
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
robin_bene
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
Stanislav Spiridonov
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
Codendi
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
Humphrey Humphrey
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
Inon Shkedy
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
Bhaurao Birajdar
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
Editor Jacotech
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
AnilVhatkar
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
Kasun Dharmadasa
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 

Similar to AusCERT 2018 (20)

CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Requirements Tool
Requirements ToolRequirements Tool
Requirements Tool
 
Fully dressed Style.docx
Fully dressed Style.docxFully dressed Style.docx
Fully dressed Style.docx
 
Identiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key LifecycleIdentiverse 2019 Security Key Lifecycle
Identiverse 2019 Security Key Lifecycle
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development7 Deadly Sins in Azure AD App Development
7 Deadly Sins in Azure AD App Development
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2Owasp security testing methodlogies –part2
Owasp security testing methodlogies –part2
 
Jresearch Flexess presentation
Jresearch Flexess presentationJresearch Flexess presentation
Jresearch Flexess presentation
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 
Codendi Administration Guide
Codendi Administration GuideCodendi Administration Guide
Codendi Administration Guide
 
Module 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdfModule 1 - Information Assurance and Security 2.pdf
Module 1 - Information Assurance and Security 2.pdf
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Bhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.jsBhaurao 2+ Experience in Node.js
Bhaurao 2+ Experience in Node.js
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
 
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docxIGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
IGNOU BCS-051 Software Engineering December 2022 - Exam Solutions.docx
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 

Recently uploaded

Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 

Recently uploaded (20)

Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 

AusCERT 2018

  • 1. Broken Authentication & Authorization Disclaimer: All the views/data presented are my own and do not reflect the opinion of my current/past employers.
  • 2. Who am I ? Sarwar Jahan M. AppSec Engineer at • Secure Code Review|Web and Mobile App Security|Threat Modelling • Synack & Bugcrowd leaderboard: Top 10 researchers (2016) • Spoken at: n|uCon ’17 , HackCon #13 sarwarjahanm@outlook.com +91 77 9597 8228 https://in.linkedin.com/in/sarwarjahanm @sarwarjahanm
  • 3. Agenda • Authentication? • Authorization? • Case Studies – Authentication Bypass • Case Studies – Broken Authorization and Privilege Escalation • Remediation • Q/A
  • 5.
  • 7.
  • 9. Case 1: Misuse of Auth-token Login Scenario: • Valid Credential => Login status=Success & Auth-token returned in response • Wrong credential => Login status=Failed & blank Auth-token returned Attack Scenario: • Attacker (user) submits valid credential. • Intercepts the 1st Login response, copies the Auth-token & drops the response. • Sends login request with Target UserID+wrong Password. • In response, sets Login status=Success & Adds his own Auth-token value. RESULT: Attacker gets access to Victim’s account!
  • 10. Case 2 – Cookie manipulation Login Scenario: User-ID in session Cookie • Successful login => App sets session cookie->user-ID (numeric value) Attack Scenario: • Attacker (user) logs in to application. • Using any cookie editor, replaces the user-ID value in cookie with that of a victim & refreshes the page. RESULT: Attacker gets access to Victim’s account!
  • 11. Case 3 - Session Invalidation Login Scenario: • Multi-login allowed & Session not expired after Password reset (>3 months). Attack Scenario: • Suppose a user identifies that the account is compromised & changes the password • The active session still remains active and there was no way to invalidate the attacker’s session RESULT: Once Compromised, attacker gets lifetime access of Victim’s account.
  • 12. Case 4 – Account takeover by Forgot Password functionality Password Reset Scenario: • Forgot password page gives option to select recovery option (OTP/email). • Part of the options are masked with asterisk(*). Attack Scenario: • Attacker provides victim’s user ID in forgot password page. • Selects any recovery option & using proxy tool can see and modify the OTP/email option value in request RESULT: Attacker receives recovery OTP/email and compromises the victim account
  • 13. Case 5 – Authentication bypass in Mobile App Login Scenario: • On successful login, user session was stored in local /AppData/ folder (sqlite db). Attack Scenario: • After analyzing the sqlite db, it was observed that the stored session is nothing but triple encoding of the username in the format [{username}] • Attacker encodes the victim’s username thrice and pushes in the device’s AppData folder. • Opens the App in device. RESULT: Attacker gets logged in to victim’s account
  • 14. Case 6 – Bypass OTP & Transfer Money from Mobile Wallet WebService Calls: • 1st call: UserID+Registered_Mobile_No => OTP sent to registered mobile number • 2nd call: Recipient+Amount+OTP => Transfer money • UserID+wrong_Mobile_No => Proper Error message • Recipient+Amount+wrong_OTP => Transaction unsuccessful with proper Error message Attack Scenario: • UserID+wrong_Mobile_No with symbol ~ => error message reveals Registered_Mobil_No • Initiate valid call to generate OTP (OTP sent to Victim’s mobile so attacker doesn’t have the OTP) • Recipient+Amount+wrong_OTP with symbol ~ error message reveals actual OTP • Recipient+Amount+retrieved OTP => Transaction Successful RESULT: From Step-by-step error messages, Attacker debits money from victim’s bank account
  • 15. Case Studies Broken Authorization and Privilege Escalation
  • 16. Case 1 - Boolean based privileges Application Design: • Application has only two privileges – Admin & normal user. • Keeps track of privilege by Boolean parameter [isAdmin/Admin/SuperManager]=[true/false]. • Admins have additional content which are unavailable for normal user. Attack Scenario: • Attacker who is a Normal low privilege user logs in with valid credential • In response body makes the Boolean value as true RESULT: Normal user gets admin privilege.
  • 17. Case 2 – Role based privileges Application Design: • Application has more than two privileges. • Keeps track of privilege by integer numbers (e,g, role=0|1|2) or Constant Strings (e,g, role=Manager|Admin|user). • Roles stored in cookie. Attack Scenario: • Attacker logs in as low privilege user. • Edits the cookie and changes the role value RESULT: Attacker escalates the privilege.
  • 18. Case 2.1 - Design Flaw – Low priv user updates his role Application Design: • The PeopleManager (role=1) can create/edit other users with view-only role (role=2). Only super admins (role=0) can change the role of other users or delete users. PeopleManager also cannot edit his own account. Attack Scenario: • While creating a new user, PeopleManager can use proxy tool and create new users with admin priv by changing role parameter to 0. • While editing other user’s details, PeopleManager replaces the userID with his own, adds “role” parameter to the request and sets the value to 0 RESULT: Low Privilege user updates his role to Super-Admin
  • 19. Case 3 - GUI Based/Client-side privilege enforcement Application Design: • Based on different roles, the application disables/hides privileged features from low privilege users E,g, Disabling/Hiding HTML elements Attack Scenario: • Using browser dev tool (F12), attacker can inspect the elements and remove the rules enforced on the basis of roles. Thus can escalate the privilege and bypass the GUI Based/Client-side privilege enforcement RESULT: Attacker escalates the privilege and perform disabled/hidden operations.
  • 20. Case 4 - IDOR to High Priv. pages, Access High Privilege functions Application Design: • High privileged pages are removed from the view for low privileged users. • Low privilege users are not provided access to sensitive/high privilege functions/features. Attack Scenarios: • Attacker either guess or finds out the high privileged pages names/references and calls the high privileged pages directly. • Attackers uses Proxy-tool and calls the high privilege function by name which they are not having access. • Because of Missing function level access control, it was possible to call and execute high privilege functions. RESULT: Attacker gets access to high privileged pages. Low privilege attacker executes High privilege function.
  • 21. Case 5 - Design Flaw - user sends SPAM mail to anyone Application Design: • Normal Users can send mails only to the Team members who are available in drop down recipient list. • Only Admins can send mails to members of different team Attack Scenario: • Using proxy tool, normal user can modify the recipient address to any non team member’s address, also he can change the sender email ID RESULT: Attacker sends mail to any non-team member person on behalf of someone else (SPAMMING)
  • 22. Case 6 – Deleting project by IDOR Application Design: • A normal user who is not owner can only view a project. There is no delete option for the normal user • A user can be Normal user for one project but Admin for other projects. Attack Scenario: • Normal user views the Project and copies the Project ID from URL • Normal user himself creates a Project for which he/she becomes owner • Now for this new project delete option is available • Clicks delete and using any proxy tool replaces the ProjectID with that of previous project RESULT: Normal user deleted a Project for which he/she is not owner but a normal member Responsible Disclosure: https://hackerone.com/reports/85401
  • 23. Case 7 – Injecting HTML code snippet Application Design: • Low privilege normal user doesn’t have permission to add new team members Attack Scenario: • By adding the following HTML code snippet, a normal user was able to add new team members <a class="button-link u-gutter js-manage-members" href="#"><span class="icon-sm icon-member"></span> Add Members</a> RESULT: Low Privilege normal user added New team members which he did not have privilege to do Responsible Disclosure: https://hackerone.com/reports/92050
  • 25. Remediation - Authentication Bypass Caption Check Mapping of auth-token and userID Guessable User identifier in cookie Proper Session invalidation Strong Password reset functionality Response body contains debugging error message App Data contains sensitive information
  • 26. Remediation - Authorization Bypass Caption Check Map user role with session ID GUI based/Client-side privilege implementation Proper Access Control Mechanism Use IDOR Server-side validation/Business Logic validation