Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Authentication and Authorization in Asp.NetShivanand Arur
This presentation gives a little information about Why Security is important, then moving towards understanding about Authentication and Authorization and its various ways
1. Forms Authentication
2. Windows Authentication
3. Passport Authentication
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Authentication and Authorization in Asp.NetShivanand Arur
This presentation gives a little information about Why Security is important, then moving towards understanding about Authentication and Authorization and its various ways
1. Forms Authentication
2. Windows Authentication
3. Passport Authentication
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Sasha Goldshtein's talk at the SELA Developer Practice (May 2013) that explains the most common vulnerabilities in web applications and demonstrates how to exploit them and how to defend applications against these attacks. Among the topics covered: SQL and OS command injection, XSS, CSRF, insecure session cookies, insecure password storage, and security misconfiguration.
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
PortalGuard’s Password Management will increase the security of passwords by adding features such as more granular password quality rules, history, expiration and lockout due to incorrect logins. This is especially beneficial for applications failing to meet compliance requirements, such as homegrown web applications or custom SQL user repositories. Administrators can easily manage multiple password policies while users are given usability features such as password meters and password expiration reminders synched with their email client calendar.
Watch tutorial here: http://pg.portalguard.com/configurable_password_management_tutorial
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
3. More Secure Methods
• Two-factor authentication
(or more)
• PIN from a token, SMS
message, or mobile app
• In addition to a
password
• Submitted through an
HTML form
5. HTTP Authentication
• Basic, Digest, and Windows-integrated
• Rarely used on the Internet
• More common in intranets, especially Windows
domains
• So authenticated employees can easily
access secured resources
11. Brute-Force Attacks
• Strictly, "brute force" refers to
trying every possible combination
of characters
• Very slow
• In practice, attackers use lists of
common passwords
• Defense: account lockout rules
after too many failed login attempts
12.
13.
14. Poor Attempt Counters
• Cookie containing failedlogins=1
• Failed login counter held within the current
session
• Attacker can just withhold the session cookie
to defeat this
• Sometimes a page continues to provide
information about a password's correctness
even after account lockout
20. Script to Find Phone #s
• echo $1,`curl -d "customerEmailAddress=
$1" "https://www.att.com/olam/
submitSLIDEmailForgotIdSlid.myworld" -
silent| grep -Po '(?<=provided ()d*'`
• When you run
getatt.sh john.smith@example.com
it will output a line of text that looks like:
• john.smith@example.com,6782345678
• Link Ch 6d
21. Username Importance
• Attacks that reveal valid usernames are called
"username enumeration"
• Not as bad as finding a password, but still a
privacy intrusion
• But could be used for social engineering
attacks, such as spearphishing emails
24. HTTPS Risks
• If credentials are sent unencrypted, the
eavesdropper's task is trivial, but even HTTPS
can't prevent these risks:
• Credentials sent in the query string are likely
to appear in server logs, browser history, and
logs of reverse proxies
• Many sites take credentials from a POST and
then redirect it (302) to another page with
credentials in the query string
25. HTTPS Risks
• Cookie risks:
• Web apps may store credentials in cookies
• Even if cookies cannot be decrypted, they can be
re-used
• Many pages open a login page via HTTP and use an
HTTPS request in the form
• This can be defeated by a man-in-the-middle
attack, like sslstrip
26.
27. Password Change
Functionality
• Periodic password change mitigates the threat
of password compromise (a dubious claim)
• Users need to change their passwords when
they believe them to be compromised
28. Vulnerable Password
Change Systems
• Reveal whether the requested username is valid
• Allow unrestricted guesses of the "existing
password" field
• Validate the "existing password" field before
comparing the "new password" and "confirm
new password" fields
• So an attacker can test passwords without
making any actual change
29. Password Change Function
• Identify the user
• Validate "existing password"
• Integrate with any account lockout features
• Compare the new passwords with each other
and against password quality rules
• Feed back any error conditions to the user
• Often there are subtle logic flaws
30. Forgotten Password
Functionality
• Often the weakest link
• Uses a secondary challenge, like "mother's
maiden name"
• A small set of possible answers, can be brute-
forced
• Often can be found from public information
31. Forgotten Password
Functionality
• Often users can write their own questions
• Attackers can try a long list of usernames
• Seeking a really weak question, like "Do I own
a boat?"
• Password "Hints" are often obvious
32. Forgotten Password
Functionality
• Often the mechanism used to reset the
password after a correct challenge answer is
vulnerable
• Some apps disclose the forgotten password to
the user, so an attacker can use the account
without the owner knowing
• Some applications immediately let the user in
after the challenge--no password needed
33. Forgotten Password
Functionality
• Some apps allow the user to specify an email
for the password reset link at the time the
challenge is completed
• Or use email from a hidden field or cookie
• Some apps allow a password reset and don't
notify the user with an email
34. "Remember Me"
• Sometimes a simple persistent cookie, like
• RememberUser=jsmith
• Session=728
• No need to actually log in, if username or
session ID can be guessed or found
35. "Remember Me"
• Even if the userid or session token is properly
encrypted, it can be stolen via XSS or by getting
access to a user's phone or PC
36. User Impersonation
• Sometimes help desk personnel or other special
accounts can impersonate users
• This may have flaws like
• Implemented with a "hidden" function lacking
proper access controls, such as
• /admin/ImpersonateUser.jsp
• A guessable session number
• A fixed backdoor password
37. Incomplete Validation
• Some applications
truncate passwords
without telling users
• Also strip unusual
characters
• Link Ch 6e
38. Nonunique Usernames
• Rare but it happens
• You may be able to create a new account with
the same username as an existing account
• During registration or a password change
• If the password also matches, you can detect
that from a different error messge
41. Insecure Distribution of
Credentials
• Passwords sent by email, SMS, etc.
• Users may never change those credentials
• Activation URLs may be predictable
• Some apps email the new password to the user
after each password change
43. Fail-Open Login
• Blank or invalid username may cause an
exception in the login routine
• Or very long or short values
• Or letters where numbers are expected...
• And allow the user in
44. Multistage Login
• Enter username and password
• Enter specific digits from a PIN (a CAPTCHA)
• Enter value displayed on a token
45. Multistage Login Defects
• May allow user to skip steps
• May trust data that passes step one, but let user
change it, so invaid or locked-out accounts
remain available
• May assume that the same username applies to
all three stages but not verify this
46. Multistage Login Defects
• May use a randomly-chosen question to verify
the user
• But let the attacker alter that question in a
hidden HTML field or cookie
• Or allow many requests, so attacker can choose
an easy question
48. Securing Authentication
• Considerations
• How critical is security?
• Will users tolerate inconvenient controls?
• Cost of supporting a user-unfriendly system
• Cost of alternatives, compare to revenue
generated or value of assets
49. Strong Credentials
• Minimum password length, requiring alphabetical,
numeric, and typographic characters
• Avoiding dictionary words, password same as
username, re-use of old passwords
• Usernames should be unique
• Automatically generated usernames or passwords
should be long and random, so they cannot be
guessed or predicted
• Allow users to set strong passwords
50. Handle Credentials
Secretively
• Protect then when created, stored, and transmitted
• Use well-established cryptography like SSL, not
custom methods
• Whole login page should be HTTPS, not just the
login button
• Use POST rathern than GET
• Don't put credentials in URL parameters or cookies
51. Handle Credentials
Secretively
• Don't transmit credentials back to the client,
even in parameters to a redirect
• Securely hash credentials on the server
52. Hashing
• Password hashes must be salted and stretched
• Salt: add random bytes to the password before
hashing it
• Stretched: many rounds of hashing (Kali Linux 2
uses 5000 rounds of SHA-512)
53.
54. Handle Credentials
Secretively
• Client-side "remember me" functionality should
remember only nonsecret items such as
usernames
• If you allow users to store passwords locally,
they should be reversibly encrypted with a key
known only to the server
• And make sure there are no XSS
vulnerabilities
55. Handle Credentials
Secretively
• Force users to change passwords periodically
• Credentials for new users should be sent as
securely as possible and time-limited; force
password change on first login
• Capture some login information with drop-down
lists instead of text fields, to defeat keyloggers
56. Validate Credentials
Properly
• Validate entire credential, with case sensitivity
• Terminate the session on any exception
• Review authentication logic and code
• Strictly control user impersonation
57. Multistage Login
• All data about progress and the results of
previous validation tasks should be held in the
server-side session object and never available
to the client
• No item of information should be submitted
more than once by the user
• No means for the user to modify data after
submission
58. Multistage Login
• The first task at every stage should be to verify
that all prior stages have been correctly
completed
• Always proceed through all stages, even if the
first stage fails--don't give attacker any
information about which stage failed
59. Prevent Information Leakage
• All authentication failures should use the same
code to produce the same error message
• To avoid subtle differences that leak
information
• Account lockout can be used for username
enumeration
• Login attempts with invalid usernames should
lead to the same error messages as valid ones
60. Self-Registration
• Allowing users to choose usernames permits
username enumeration. Better methods:
• Generate unique, unpredictable usernames
• Use e-mail addresses as usernames and
require the user to receive and use an email
message
61. Prevent Brute-Force Attacks
• At login, password change, recover lost password, etc.
• Using unpredictable usernames and preventing their
enumeration makes brute-force attacks more difficult
• High-security apps like banks disable an account after
several failed logins
• Account holder must do something out-of-band to
re-activate account, like phone customer support
and answer security questions
• A 30-minute delay is friendlier and cheaper
62. Prevent Brute-Force Attacks
• Consider this type of attack
• Use many different usernames with the same
password, such as "password"
• Defenses: strong password rules, CAPTCHA
63. Password Change
• No way to change username
• Require user to enter the old password
• Require new password twice (to prevent
mistakes)
• Same error message for all failures
• Users should be notified out-of-band (such as
via email) that the password has been changed
64. Account Recovery
• For security-critical apps, require account
recovery out-of-band
• Don't use "password hints"
• Email a unique, time-limited, unguessable,
single-use recovery URL
65. Account Recovery
• Challenge questions
• Don't let users write their own questions
• Don't use questions with low-entropy
answers, such as "your favorite color"
66. Log, Monitor, and Notify
• Log all authentication-related events
• Protect logs from unauthorized access
• Anomalies such as brute-force attacks should
trigger IDS alerts
• Notify users out-of-band of any critical security
events, such as password changes
• Notify users in-band of frequent security events,
such as time and source IP of the last login