Sam Bowne, profile picture
Uploaded bySam Bowne
PDF, PPTX293 views

Ch 6: Attacking Authentication

This document provides a summary of authentication techniques and common vulnerabilities. It discusses how over 90% of applications use usernames and passwords for authentication. More secure authentication methods like two-factor authentication are also described. The document outlines various authentication protocols like HTTP, SAML, and JWT. It then details common design flaws such as weak passwords, password change vulnerabilities, account recovery issues, and information leakage. Specific attacks like brute force, credential stuffing, and session hijacking are examined. The summary recommends approaches to secure authentication like strong credentials, hashing passwords, multi-factor authentication, and logging authentication events.

Embed presentation

Download as PDF, PPTX
CNIT 129S: Securing Web Applications Ch 6: Attacking Authentication Updated 2-23-2022
Authentication Technologies • Over 90% of apps use name & password
More Secure Methods • Two-factor authentication (or more ) • PIN from a token, SMS message, or mobile ap p • In addition to a passwor d • Submitted through an HTML form
Cryptographic Methods • Client-side SSL certi fi cat e • Smartcard s • More expensive, higher overhea d • SAML and JWT (at end of slides)
HTTP Authentication • Basic, Digest, and Windows-integrate d • Rarely used on the Interne t • More common in intranets, especially Windows domain s • So authenticated employees can easily access secured resources
Third-Party Authentication
Third-Party Authentication Link Ch 6b
Third-Party Authentication
Design Flaws • Bad Passwords
Brute-Force Attacks • Attackers use lists of common password s • Defense: account lockout rules after too many failed login attempts
Poor Attempt Counters • Cookie containing failedlogins= 1 • Failed login counter held within the current sessio n • Attacker can just withhold the session cookie to defeat thi s • Sometimes a page continues to provide information about a password's correctness even after account lockout
Verbose Failure Messages • Friendly for legitimate user s • But helpful for attackers
Script to Find Phone #s • echo $1,`curl -d "customerEmailAddress=$1" "https:// www.att.com/olam/ submitSLIDEmailForgotIdSlid.myworld" -silent| grep -Po '(?<=provided ()d*' ` • When you run 
 getatt.sh john.smith@example.com 
 it will output a line of text that looks like: • john.smith@example.com,678234567 8 • Link Ch 6d
Username Importance • Attacks that reveal valid usernames are called "username enumeration " • Not as bad as fi nding a password, but still a privacy intrusio n • But could be used for social engineering attacks, such as spearphishing emails
Similar but Non-Identical Error Messages • Any difference can be exploited; even response time
A
Vulnerable Transmission of Credentials • Eavesdroppers may reside:
HTTPS Risks • If credentials are sent unencrypted, the eavesdropper's task is trivial, but even HTTPS can't prevent these risks : • Credentials sent in the query string are likely to appear in server logs, browser history, and logs of reverse proxie s • Many sites take credentials from a POST and then redirect it (302) to another page with credentials in the query string
HTTPS Risks • Cookie risks : • Web apps may store credentials in cookie s • Even if cookies cannot be decrypted, they can be re-use d • Many pages open a login page via HTTP and use an HTTPS request in the for m • This can be defeated by a man-in-the-middle attack, like sslstrip
Password Change Functionality • Periodic password change mitigates the threat of password compromise (a dubious claim ) • Users need to change their passwords when they believe them to be compromised
Vulnerable Password Change Systems • Reveal whether the requested username is vali d • Allow unrestricted guesses of the "existing password" fi el d • Validate the "existing password" fi eld before comparing the "new password" and "con fi rm new password" fi eld s • So an attacker can test passwords without making any actual change
Password Change Decision Tree • Identify the use r • Validate "existing password " • Integrate with any account lockout feature s • Compare the new passwords with each other and against password quality rule s • Feed back any error conditions to the use r • Often there are subtle logic fl aws
Forgotten Password Functionality • Often the weakest lin k • Uses a secondary challenge, like "mother's maiden name " • A small set of possible answers, can be brute- force d • Often can be found from public information
Forgotten Password Functionality • Often users can write their own question s • Attackers can try a long list of username s • Seeking a really weak question, like "Do I own a boat? " • Password "Hints" are often obvious
Forgotten Password Functionality • Often the mechanism used to reset the password after a correct challenge answer is vulnerabl e • Some apps disclose the forgotten password to the user, so an attacker can use the account without the owner knowin g • Some applications immediately let the user in after the challenge--no password needed
Forgotten Password Functionality • Some apps allow the user to specify an email for the password reset link at the time the challenge is complete d • Or use email from a hidden fi eld or cooki e • Some apps allow a password reset and don't notify the user with an email
"Remember Me" • Sometimes a simple persistent cookie, like • RememberUser=jsmit h • Session=72 8 • No need to actually log in, if username or session ID can be guessed or found
"Remember Me" • Even if the userid or session token is properly encrypted, it can be stolen via XSS or by getting access to a user's phone or PC
User Impersonation • Sometimes help desk personnel or other special accounts can impersonate user s • This may have fl aws lik e • Implemented with a "hidden" function lacking proper access controls, such as • /admin/ImpersonateUser.js p • A guessable session numbe r • A fi xed backdoor password
Incomplete Validation • Some applications truncate passwords without telling user s • Also strip unusual character s • Link Ch 6e
Nonunique Usernames • Rare but it happen s • You may be able to create a new account with the same username as an existing accoun t • During registration or a password chang e • If the password also matches, you can detect that from a different error messge
Predictable Usernames • Automatically generated names lik e • User101, User102, ...
Predictable Initial Passwords • User accounts are create in large batche s • All have the same initial password
Insecure Distribution of Credentials • Passwords sent by email, SMS, etc . • Users may never change those credential s • Activation URLs may be predictabl e • Some apps email the new password to the user after each password change
B
Implementation Flaws
Fail-Open Login • Blank or invalid username may cause an exception in the login routin e • Or very long or short value s • Or letters where numbers are expected.. . • And allow the user in
Multistage Login • Enter username and passwor d • Enter speci fi c digits from a PIN (a CAPTCHA ) • Enter value displayed on a token
Multistage Login Defects • May allow user to skip step s • May trust data that passes step one, but let user change it, so invaid or locked-out accounts remain availabl e • May assume that the same username applies to all three stages but not verify this
Multistage Login Defects • May use a randomly-chosen question to verify the use r • But let the attacker alter that question in a hidden HTML fi eld or cooki e • Or allow many requests, so attacker can choose an easy question
Insecure Credential Storage • Plaintext passwords in databas e • Hashed with MD5 or SHA-1, easily cracked
Securing Authentication • Consideration s • How critical is security ? • Will users tolerate inconvenient controls ? • Cost of supporting a user-unfriendly syste m • Cost of alternatives, compare to revenue generated or value of assets
Strong Credentials • Minimum password length, requiring alphabetical, numeric, and typographic character s • Avoiding dictionary words, password same as username, re-use of old password s • Usernames should be uniqu e • Automatically generated usernames or passwords should be long and random, so they cannot be guessed or predicte d • Allow users to set strong passwords
Handle Credentials Secretively • Protect them when created, stored, and transmitte d • Use well-established cryptography like SSL, not custom method s • Whole login page should be HTTPS, not just the login butto n • Use POST rather than GE T • Don't put credentials in URL parameters or cookies
Handle Credentials Secretively • Don't transmit credentials back to the client, even in parameters to a redirec t • Securely hash credentials on the server
Hashing • Password hashes must be salted and stretche d • Salt: add random bytes to the password before hashing i t • Stretched: many rounds of hashing (Kali Linux 2 uses 5000 rounds of SHA-512)
Handle Credentials Secretively • Client-side "remember me" functionality should remember only nonsecret items such as username s • If you allow users to store passwords locally, they should be reversibly encrypted with a key known only to the serve r • And make sure there are no XSS vulnerabilities
Handle Credentials Secretively • Force users to change passwords periodicall y • No longer recommende d • Credentials for new users should be sent as securely as possible and time-limited; force password change on fi rst logi n • Capture some login information with drop-down lists instead of text fi elds, to defeat keyloggers
Validate Credentials Properly • Validate entire credential, with case sensitivit y • Terminate the session on any exceptio n • Review authentication logic and cod e • Strictly control user impersonation
Multistage Login • All data about progress and the results of previous validation tasks should be held in the server-side session object and never available to the clien t • No item of information should be submitted more than once by the use r • No means for the user to modify data after submission
Multistage Login • The fi rst task at every stage should be to verify that all prior stages have been correctly complete d • Always proceed through all stages, even if the fi rst stage fails--don't give attacker any information about which stage failed
Prevent Information Leakage • All authentication failures should use the same code to produce the same error messag e • To avoid subtle differences that leak informatio n • Account lockout can be used for username enumeratio n • Login attempts with invalid usernames should lead to the same error messages as valid ones
Self-Registration • Allowing users to choose usernames permits username enumeration. Better methods : • Generate unique, unpredictable username s • Use e-mail addresses as usernames and require the user to receive and use an email message
Prevent Brute-Force Attacks • At login, password change, recover lost password, etc . • Using unpredictable usernames and preventing their enumeration makes brute-force attacks more dif fi cul t • High-security apps like banks disable an account after several failed login s • Account holder must do something out-of-band to re-activate account, like phone customer support and answer security question s • A 30-minute delay is friendlier and cheaper
Prevent Brute-Force Attacks • Password Spray attac k • Use many different usernames with the same password, such as "password " • Avoids account lockout s • Defenses: strong password rules, CAPTCHA
Password Change • No way to change usernam e • Require user to enter the old passwor d • Require new password twice (to prevent mistakes ) • Same error message for all failure s • Users should be noti fi ed out-of-band (such as via email) that the password has been changed
Account Recovery • For security-critical apps, require account recovery out-of-ban d • Don't use "password hints " • Email a unique, time-limited, unguessable, single-use recovery URL
Account Recovery • Challenge question s • Don't let users write their own question s • Don't use questions with low-entropy answers, such as "your favorite color"
Log, Monitor, and Notify • Log all authentication-related event s • Protect logs from unauthorized acces s • Anomalies such as brute-force attacks should trigger IDS alert s • Notify users out-of-band of any critical security events, such as password change s • Notify users in-band of frequent security events, such as time and source IP of the last login
C
SAML (Security Assertion Markup Language) • http://samlol.samsclass.info
Send password to identity provider
Response contains SAMLResponse
Intercept & Decode • Change user name from user1 to admi n • Turn off Intercept • Attack fails
Remove Signatures • Change user name from user1 to dem o • Turn off Intercept
JSON Web Tokens • https://redhuntlabs.com/wp- content/uploads/2022/02/A- Practical-Guide-to-Attacking- JWT-JSON-Web-Tokens.pdf
JWT Attacks • Failing to verify signature • "NONE" algorithm (no signature required) • Weak HMAC Keys • Command injection • Path traversal • SQL injection • More...

More Related Content

PDF
OAuth 2.0
byUwe Friedrichsen
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PDF
Http Parameter Pollution, a new category of web attacks
byStefano Di Paola
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Secure coding practices
byScott Hurrey
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
OAuth 2.0
byUwe Friedrichsen
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Http Parameter Pollution, a new category of web attacks
byStefano Di Paola
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Secure coding practices
byScott Hurrey
 
Web application security & Testing
byDeepu S Nath
 
Waf bypassing Techniques
byAvinash Thapa
 

What's hot

PDF
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
PDF
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 
PPTX
Recon like a pro
byNirmalthapa24
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPTX
Penetration Testing
byRomSoft SRL
 
ODP
OWASP Secure Coding
bybilcorry
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PPTX
SQL injection
byRaj Parmar
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PDF
REST API Pentester's perspective
bySecuRing
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
Kafka Security 101 and Real-World Tips
byconfluent
 
PDF
Spring security oauth2
byaxykim00
 
Security for oauth 2.0 - @topavankumarj
byPavan Kumar J
 
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 
Recon like a pro
byNirmalthapa24
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
Web Application Penetration Testing
byPriyanka Aash
 
Penetration Testing
byRomSoft SRL
 
OWASP Secure Coding
bybilcorry
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
bySam Bowne
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
SQL injection
byRaj Parmar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
REST API Pentester's perspective
bySecuRing
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
Kafka Security 101 and Real-World Tips
byconfluent
 
Spring security oauth2
byaxykim00
 

Similar to Ch 6: Attacking Authentication

PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PDF
CNIT 129: 6. Attacking Authentication
bySam Bowne
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PDF
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
byimgautam076
 
PPTX
Flaws of password-based authentication
bysluge
 
PPTX
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
Getting authentication right
byAndre N. Klingsheim
 
PPTX
Computer System Security User Authentication
bymhhgqqbmrk
 
PPTX
IEEE WEB DOCUMENT PPT FOR EXPLANATION OF THE TOPIC
bysujalmacbookm2air
 
PPTX
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
byVikasTuwar1
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
PPTX
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
ODP
User Credential handling in Web Applications done right
bytladesignz
 
PDF
Web security and OWASP
byIsuru Samaraweera
 
PDF
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
PPTX
6 - Web Application Security.pptx
byAlmaOraevi
 
PDF
Client Server Security with Flask and iOS
byMake School
 
PDF
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
byClubHack
 
PPTX
Session management
byDhruv Aggarwal
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
CNIT 129: 6. Attacking Authentication
bySam Bowne
 
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
Session4-Authentication
byzakieh alizadeh
 
wapt lab 6 - converted (2).pdfwaptLab09 tis lab is used for college lab exam
byimgautam076
 
Flaws of password-based authentication
bysluge
 
Defending web applications v.1.0
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Getting authentication right
byAndre N. Klingsheim
 
Computer System Security User Authentication
bymhhgqqbmrk
 
IEEE WEB DOCUMENT PPT FOR EXPLANATION OF THE TOPIC
bysujalmacbookm2air
 
Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx
byVikasTuwar1
 
CNIT 129S: Securing Web Applications Ch 1-2
bySam Bowne
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
byNazar Tymoshyk, CEH, Ph.D.
 
User Credential handling in Web Applications done right
bytladesignz
 
Web security and OWASP
byIsuru Samaraweera
 
Java Web Programming [9/9] : Web Application Security
byIMC Institute
 
6 - Web Application Security.pptx
byAlmaOraevi
 
Client Server Security with Flask and iOS
byMake School
 
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
byClubHack
 
Session management
byDhruv Aggarwal
 

More from Sam Bowne

PDF
Introduction to the Class & CISSP Certification
bySam Bowne
 
PDF
Cyberwar
bySam Bowne
 
PDF
3: DNS vulnerabilities
bySam Bowne
 
PDF
8. Software Development Security
bySam Bowne
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
PDF
12 Elliptic Curves
bySam Bowne
 
PDF
11. Diffie-Hellman
bySam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
bySam Bowne
 
PDF
9 Writing Secure Android Applications
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
PDF
10 RSA
bySam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
PDF
9. Hard Problems
bySam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
bySam Bowne
 
PDF
11 Analysis Methodology
bySam Bowne
 
PDF
8. Authenticated Encryption
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
bySam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
bySam Bowne
 
PDF
5. Stream Ciphers
bySam Bowne
 
Introduction to the Class & CISSP Certification
bySam Bowne
 
Cyberwar
bySam Bowne
 
3: DNS vulnerabilities
bySam Bowne
 
8. Software Development Security
bySam Bowne
 
4 Mapping the Application
bySam Bowne
 
3. Attacking iOS Applications (Part 2)
bySam Bowne
 
12 Elliptic Curves
bySam Bowne
 
11. Diffie-Hellman
bySam Bowne
 
2a Analyzing iOS Apps Part 1
bySam Bowne
 
9 Writing Secure Android Applications
bySam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
bySam Bowne
 
10 RSA
bySam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
bySam Bowne
 
9. Hard Problems
bySam Bowne
 
8 Android Implementation Issues (Part 1)
bySam Bowne
 
11 Analysis Methodology
bySam Bowne
 
8. Authenticated Encryption
bySam Bowne
 
7. Attacking Android Applications (Part 2)
bySam Bowne
 
7. Attacking Android Applications (Part 1)
bySam Bowne
 
5. Stream Ciphers
bySam Bowne
 

Recently uploaded

PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PPTX
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PPTX
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
PDF
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
PPTX
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
PDF
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PPTX
How to Add an Icon in Systray in Odoo 18
byCeline George
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PDF
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
PDF
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PPTX
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
How to Create_Generate Engineering Change Orders ECOs in Odoo 18
byCeline George
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
Greengnorance Toolkit Module 6 Water Resources
byKarl Donert
 
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
Greengnorance Toolkit Module 5 Waste Management
byKarl Donert
 
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
How to Add an Icon in Systray in Odoo 18
byCeline George
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 

Ch 6: Attacking Authentication

  • 1.
    CNIT 129S: Securing WebApplications Ch 6: Attacking Authentication Updated 2-23-2022
  • 2.
    Authentication Technologies • Over90% of apps use name & password
  • 3.
    More Secure Methods •Two-factor authentication (or more ) • PIN from a token, SMS message, or mobile ap p • In addition to a passwor d • Submitted through an HTML form
  • 4.
    Cryptographic Methods • Client-sideSSL certi fi cat e • Smartcard s • More expensive, higher overhea d • SAML and JWT (at end of slides)
  • 5.
    HTTP Authentication • Basic,Digest, and Windows-integrate d • Rarely used on the Interne t • More common in intranets, especially Windows domain s • So authenticated employees can easily access secured resources
  • 6.
  • 7.
  • 8.
  • 10.
  • 12.
    Brute-Force Attacks • Attackersuse lists of common password s • Defense: account lockout rules after too many failed login attempts
  • 14.
    Poor Attempt Counters •Cookie containing failedlogins= 1 • Failed login counter held within the current sessio n • Attacker can just withhold the session cookie to defeat thi s • Sometimes a page continues to provide information about a password's correctness even after account lockout
  • 15.
    Verbose Failure Messages •Friendly for legitimate user s • But helpful for attackers
  • 17.
    Script to FindPhone #s • echo $1,`curl -d "customerEmailAddress=$1" "https:// www.att.com/olam/ submitSLIDEmailForgotIdSlid.myworld" -silent| grep -Po '(?<=provided ()d*' ` • When you run 
 getatt.sh john.smith@example.com 
 it will output a line of text that looks like: • john.smith@example.com,678234567 8 • Link Ch 6d
  • 18.
    Username Importance • Attacksthat reveal valid usernames are called "username enumeration " • Not as bad as fi nding a password, but still a privacy intrusio n • But could be used for social engineering attacks, such as spearphishing emails
  • 19.
    Similar but Non-Identical ErrorMessages • Any difference can be exploited; even response time
  • 20.
  • 21.
  • 22.
    HTTPS Risks • Ifcredentials are sent unencrypted, the eavesdropper's task is trivial, but even HTTPS can't prevent these risks : • Credentials sent in the query string are likely to appear in server logs, browser history, and logs of reverse proxie s • Many sites take credentials from a POST and then redirect it (302) to another page with credentials in the query string
  • 23.
    HTTPS Risks • Cookierisks : • Web apps may store credentials in cookie s • Even if cookies cannot be decrypted, they can be re-use d • Many pages open a login page via HTTP and use an HTTPS request in the for m • This can be defeated by a man-in-the-middle attack, like sslstrip
  • 24.
    Password Change Functionality • Periodicpassword change mitigates the threat of password compromise (a dubious claim ) • Users need to change their passwords when they believe them to be compromised
  • 25.
    Vulnerable Password Change Systems •Reveal whether the requested username is vali d • Allow unrestricted guesses of the "existing password" fi el d • Validate the "existing password" fi eld before comparing the "new password" and "con fi rm new password" fi eld s • So an attacker can test passwords without making any actual change
  • 26.
    Password Change Decision Tree •Identify the use r • Validate "existing password " • Integrate with any account lockout feature s • Compare the new passwords with each other and against password quality rule s • Feed back any error conditions to the use r • Often there are subtle logic fl aws
  • 27.
    Forgotten Password Functionality • Oftenthe weakest lin k • Uses a secondary challenge, like "mother's maiden name " • A small set of possible answers, can be brute- force d • Often can be found from public information
  • 28.
    Forgotten Password Functionality • Oftenusers can write their own question s • Attackers can try a long list of username s • Seeking a really weak question, like "Do I own a boat? " • Password "Hints" are often obvious
  • 29.
    Forgotten Password Functionality • Oftenthe mechanism used to reset the password after a correct challenge answer is vulnerabl e • Some apps disclose the forgotten password to the user, so an attacker can use the account without the owner knowin g • Some applications immediately let the user in after the challenge--no password needed
  • 30.
    Forgotten Password Functionality • Someapps allow the user to specify an email for the password reset link at the time the challenge is complete d • Or use email from a hidden fi eld or cooki e • Some apps allow a password reset and don't notify the user with an email
  • 31.
    "Remember Me" • Sometimesa simple persistent cookie, like • RememberUser=jsmit h • Session=72 8 • No need to actually log in, if username or session ID can be guessed or found
  • 32.
    "Remember Me" • Evenif the userid or session token is properly encrypted, it can be stolen via XSS or by getting access to a user's phone or PC
  • 33.
    User Impersonation • Sometimeshelp desk personnel or other special accounts can impersonate user s • This may have fl aws lik e • Implemented with a "hidden" function lacking proper access controls, such as • /admin/ImpersonateUser.js p • A guessable session numbe r • A fi xed backdoor password
  • 34.
    Incomplete Validation • Someapplications truncate passwords without telling user s • Also strip unusual character s • Link Ch 6e
  • 35.
    Nonunique Usernames • Rarebut it happen s • You may be able to create a new account with the same username as an existing accoun t • During registration or a password chang e • If the password also matches, you can detect that from a different error messge
  • 36.
    Predictable Usernames • Automaticallygenerated names lik e • User101, User102, ...
  • 37.
    Predictable Initial Passwords •User accounts are create in large batche s • All have the same initial password
  • 38.
    Insecure Distribution of Credentials •Passwords sent by email, SMS, etc . • Users may never change those credential s • Activation URLs may be predictabl e • Some apps email the new password to the user after each password change
  • 39.
  • 40.
  • 41.
    Fail-Open Login • Blankor invalid username may cause an exception in the login routin e • Or very long or short value s • Or letters where numbers are expected.. . • And allow the user in
  • 42.
    Multistage Login • Enterusername and passwor d • Enter speci fi c digits from a PIN (a CAPTCHA ) • Enter value displayed on a token
  • 43.
    Multistage Login Defects •May allow user to skip step s • May trust data that passes step one, but let user change it, so invaid or locked-out accounts remain availabl e • May assume that the same username applies to all three stages but not verify this
  • 44.
    Multistage Login Defects •May use a randomly-chosen question to verify the use r • But let the attacker alter that question in a hidden HTML fi eld or cooki e • Or allow many requests, so attacker can choose an easy question
  • 45.
    Insecure Credential Storage •Plaintext passwords in databas e • Hashed with MD5 or SHA-1, easily cracked
  • 46.
    Securing Authentication • Consideration s •How critical is security ? • Will users tolerate inconvenient controls ? • Cost of supporting a user-unfriendly syste m • Cost of alternatives, compare to revenue generated or value of assets
  • 47.
    Strong Credentials • Minimumpassword length, requiring alphabetical, numeric, and typographic character s • Avoiding dictionary words, password same as username, re-use of old password s • Usernames should be uniqu e • Automatically generated usernames or passwords should be long and random, so they cannot be guessed or predicte d • Allow users to set strong passwords
  • 48.
    Handle Credentials Secretively • Protectthem when created, stored, and transmitte d • Use well-established cryptography like SSL, not custom method s • Whole login page should be HTTPS, not just the login butto n • Use POST rather than GE T • Don't put credentials in URL parameters or cookies
  • 49.
    Handle Credentials Secretively • Don'ttransmit credentials back to the client, even in parameters to a redirec t • Securely hash credentials on the server
  • 50.
    Hashing • Password hashesmust be salted and stretche d • Salt: add random bytes to the password before hashing i t • Stretched: many rounds of hashing (Kali Linux 2 uses 5000 rounds of SHA-512)
  • 52.
    Handle Credentials Secretively • Client-side"remember me" functionality should remember only nonsecret items such as username s • If you allow users to store passwords locally, they should be reversibly encrypted with a key known only to the serve r • And make sure there are no XSS vulnerabilities
  • 53.
    Handle Credentials Secretively • Forceusers to change passwords periodicall y • No longer recommende d • Credentials for new users should be sent as securely as possible and time-limited; force password change on fi rst logi n • Capture some login information with drop-down lists instead of text fi elds, to defeat keyloggers
  • 54.
    Validate Credentials Properly • Validateentire credential, with case sensitivit y • Terminate the session on any exceptio n • Review authentication logic and cod e • Strictly control user impersonation
  • 55.
    Multistage Login • Alldata about progress and the results of previous validation tasks should be held in the server-side session object and never available to the clien t • No item of information should be submitted more than once by the use r • No means for the user to modify data after submission
  • 56.
    Multistage Login • The fi rsttask at every stage should be to verify that all prior stages have been correctly complete d • Always proceed through all stages, even if the fi rst stage fails--don't give attacker any information about which stage failed
  • 57.
    Prevent Information Leakage •All authentication failures should use the same code to produce the same error messag e • To avoid subtle differences that leak informatio n • Account lockout can be used for username enumeratio n • Login attempts with invalid usernames should lead to the same error messages as valid ones
  • 58.
    Self-Registration • Allowing usersto choose usernames permits username enumeration. Better methods : • Generate unique, unpredictable username s • Use e-mail addresses as usernames and require the user to receive and use an email message
  • 59.
    Prevent Brute-Force Attacks •At login, password change, recover lost password, etc . • Using unpredictable usernames and preventing their enumeration makes brute-force attacks more dif fi cul t • High-security apps like banks disable an account after several failed login s • Account holder must do something out-of-band to re-activate account, like phone customer support and answer security question s • A 30-minute delay is friendlier and cheaper
  • 60.
    Prevent Brute-Force Attacks •Password Spray attac k • Use many different usernames with the same password, such as "password " • Avoids account lockout s • Defenses: strong password rules, CAPTCHA
  • 61.
    Password Change • Noway to change usernam e • Require user to enter the old passwor d • Require new password twice (to prevent mistakes ) • Same error message for all failure s • Users should be noti fi ed out-of-band (such as via email) that the password has been changed
  • 62.
    Account Recovery • Forsecurity-critical apps, require account recovery out-of-ban d • Don't use "password hints " • Email a unique, time-limited, unguessable, single-use recovery URL
  • 63.
    Account Recovery • Challengequestion s • Don't let users write their own question s • Don't use questions with low-entropy answers, such as "your favorite color"
  • 64.
    Log, Monitor, andNotify • Log all authentication-related event s • Protect logs from unauthorized acces s • Anomalies such as brute-force attacks should trigger IDS alert s • Notify users out-of-band of any critical security events, such as password change s • Notify users in-band of frequent security events, such as time and source IP of the last login
  • 65.
  • 66.
    SAML (Security Assertion MarkupLanguage) • http://samlol.samsclass.info
  • 67.
    Send password toidentity provider
  • 68.
  • 69.
    Intercept & Decode •Change user name from user1 to admi n • Turn off Intercept • Attack fails
  • 70.
  • 71.
  • 73.
    JWT Attacks • Failingto verify signature • "NONE" algorithm (no signature required) • Weak HMAC Keys • Command injection • Path traversal • SQL injection • More...