The document discusses insecure implementations of common security practices like salted hashing, CAPTCHAs, and browser caching that can compromise user authentication and data. It provides examples of issues like generating salts on the client-side, reusing the same salt, transmitting passwords in cleartext, verifying CAPTCHAs client-side, and not reinitializing browser caching that allow replay attacks or unauthorized access to sensitive information. The document emphasizes best practices like generating random salts and CAPTCHAs on the server-side, validating them on the server, and reinitializing sessions and caches for each request to properly secure systems.
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OK…in reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OK…in reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OK…in reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OK…in reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
Part of F5 mitigations series
Brute force on apps is on the rise
Will become WBT @ F5U
Conclusion:
Internet brute force can go undetected and is a serious threat to applications
F5 owns the largest set of options to detect and prevent application brute force
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
In this talk I will cover how to create a REST API using Grails 2.3 to support single-page applications, exploring all the possible alternatives.
Code is available at https://github.com/alvarosanchez/restful-grails-springsecurity-greach2014
I will also explain how to integrate Spring Security using the spring-security-rest plugin I recently created, to implement a stateless, token-based, RESTful authentication.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
This project was done for my fourth semester ( Computer Science) for the subject Cryptography and Network Security. For this project coding was done in PHP
This is my presentation from Denver Startup Week 2016 on security for applications and servers. This presentation covers everything you need to know about securing a Linux server and your application.
Similar to Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008 (20)
Summarising Snowden and Snowden as internal threatClubHack
A quick lookback at snowden's revelation and also lookign at snowden as an insider threat
*This presentation end abruptly because during the talk it ends as food for thought and kickstart of next session*
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.
Fatcat Purpose? : For testing your web application and exploit your application into more deeper.
FatCat Support:
1)Mysql 5.0
FatCat Features?
Union Based Sql Injection
Error Based Sql Injection
MOD Security Bypass (WAF)
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.
Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.
Smart grids is an added communication capabilities and intelligence to traditional grids,smart grids are enabled by Intelligent sensors and actuators, Extended data management system,Expanded two way communication between utility operation system facilities and customers,Network security ,National integration ,Self healing and adaptive –Improve distribution and transmission system operation,Allow customers freedom to purchase power based on dynamic pricing ,Improved quality of power-less wastage ,Integration of large variety of generation options.
We have seen the more complex and critical infrastructure the more vulnerable they are. From the Year of 1994 we have seen lots of incidents where SmartGrid were Hacked the latest and booming incident was Stuxnet Worm which targeted Nuclear Power System of Iran and Worldwide.There are different types of Attacks we will see. Security needed for Smart Grid.
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.
As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.
The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string?
Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.
Hacking and Securing iOS Applications by Satish BomissttyClubHack
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.
The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.
Abstract of the paper;Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users’ browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc .XSS shell is a cross domain tool to carry out XSS attack in more controlled manner. It is used to setup a channel between attacker and victim’s browser and controlling the victim’s browser.
It gives me immense pleasure to tell you that from 06-02-10 to 06-02-12 our magazine has completed two successful and rejoicing years. We at ClubHack are super excited! I hope you people are enjoying the magazine and would continue doing so it in the coming future too. We enjoy making this for you all.It is said that “A lot can happen over a cup of coffee”. We experienced this amazing moment over a cup of coffee when we had the idea of starting a hacking magazine and it now it has come all this way… :). 2 years looks small when we look back.For this incredible success we at ClubHack would like to thank all our readers, volunteers and authors for giving us such unbelievable support. As we want to keep up the growth and progress therefore we request you all to keep throwing in articles, suggestions, support and your love!
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with we have an article on PHP based RFI/LFI vulnerability. I hope you will like reading it. We also have some cool articles on XSS attacks, ROT decoding and Matriux section.
Do send us your feedback on abhijeet@chmag.in this will help us improve further.
We are now in mid of 2012. As predicted by many techno geeks, this year is phenomenal for IT related technologies including security, networking and web technologies. In April cloud war is started between two big rivals Microsoft & Google. Both making sure that its going to be secure and useful for smart phone users as well. With introduction of new such technologies we must ensure security over the web. Here HTTPS comes into picture and we brought this topic in CHMag's Mom's guide. Along with it topics like Steganography(Tech Gyan), a new toolkit - Kautilya(Tool Gyan), preventing SQL injections(Code Gyan) are covered.
If you have good write up and topic that you think people should know about it then please share with CHMag. Also if you have suggestions, feedback & articles, send it on info@chmag.in. Keep reading!!
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Agenda
• Talk about insecure implementation of
security practices for
– Salted Hashing
– CAPTCHA
– Browser Caching
3. Why do we need authentication
• Abstraction of Lock and Key
– Humans are used to and comfortable with the
concept
• Explicit Authentication happens only once
– Implicit authentication with each request
4. Threats to passwords
• In the Host
– Can be found in Memory or Browser History
• Network
– Can be sniffed or found in proxy logs
• Database
– If stored in clear-text, compromise of DB leads to
complete compromise
– Backup tapes etc
5. Securing Credentials
• Denote password by ******** in the form field
– Can be guessed
• Implement strong password policy
– Can be stolen
• Base64 Encoding
– Can be decoded
• Encrypting the password
– Can be decrypted
• Hashing the password
– Our story begins from here…
6. Hashing
• Cryptographic Hash Function is a
transformation that takes an input and returns
a fixed-size string, which is called the hash
value. – From Wikipedia
• One way hashes cannot be reversed, they can
only be compared
– Just like finger prints
• A strong one-way hash will have minute
probability of collision
7. Use of hashing
• Authentication
• Message Integrity
• Digital Signatures
8. Is just a hash secure?
• Hash can be stolen from the
– memory
– browser history
– network by sniffing
– proxy logs
• We can replay the hash instead of the clear
text password
– Does not need to be reversed for authentication
9. Hash with a pinch of salt
• Salted hash
– Aims at implementing a one time password
scheme
– Each time the password of the user transmitted
from the client is different
– Even if stolen cannot be reused/replayed
Well That Is The Aim!!
10. The Working Steps
1. With each request to the login page by the user,
the server generates a random number, the salt,
and sends it to the client along with the login
page.
2. A JavaScript code on the client computes the
hash of the password entered by the user.
3. The salt is concatenated with the computed
hash of the password to re-compute the hash of
the concatenated string (let this salted hash be
‘A’).
4. The result i.e. ‘A’ generated in the previous step
is sent to the server along with the username.
11. The Working Steps
5. On the server side - the application retrieves the
hashed password for the corresponding
username from the database.
6. The hashed password fetched from the database
is concatenated with the salt (which was earlier
sent to the client) stored at the server. Hash of
the concatenated string is calculated at the
server (let this salted hash be B).
7. If the user entered the correct password then
these two hashes (A & B) should match. The
server compares these two hashes and if they
match, the user is authenticated.
8. The salt is then deleted from the server side
15. Generating salt on client side
• So we have all values that server needs to
calculate the salted hash
• It is enough to replay the values
• Beats goal of using salts
16. 2. Using a limited set of salts
• The number of salts being used by the server
is fixed
• Above replay technique works
– We just need to try multiple number of times
17. 3. Using same salt for same user
• In this case the salted hash was stored by the
developer in the DB
– Gives a ‘feeling’ of more security
• If salted hash is stored as password, then salt
too needs to be stored ☺
• Hence same salt is sent each time - replay
18. 4. Not re-initializing the salt for login
pages
• Multiple logins from the same browser
resulted in same salt being used
• Salt not deleted from the server side on
successful or unsuccessful authentication
• Problem is also related to not re-initializing
the session after successful or unsuccessful
authentication
• Attack window is small, but still…
19. 5. Transmitting clear text password
along with salted hash
• Many implementations observed
• The salted hash is sent along with clear text
form input fields
• The salted hash is computed using different
set of hidden variables
21. 6. Not re-initializing the java script
variables
• Uname = Document.form1.textbox1.value
• Pwd = Document.form1.textbox2.value
• Use the and ‘pwd’ variable for salted hash
calculation
– Hash = Hfx (pwd)
– Hash = Hfx (Hash + salt)
• The uname and pwd can be found as clear text
in memory
23. 7. Storing password in clear text in
database
• Hash = hash (password + salt)
• Server does not store salt in the database
• Clearly implies that server also does not store
hash of password in database
24. Salted Hash Best Practices
• Salt
– Generated on server side
– Must be highly random. Must use cryptographically
strong PRNG algorithm
– Must never be stored in the database
– Must be re-generated after each successful
/unsuccessful attempt
– All temporary Form Field or JS variables must be set to
null before submitting the request
• Passwords must be stored in hashed format in
the database
25. CAPTCHA
• Completely Automated Public Turing Tests to Tell
Computers and Humans Apart
• Aim is to introduce an entity that requires human
intervention
• Protection against DOS or Brute force or Misuse
– Avoiding automating submissions
26. Typical uses
• Public Forms
– Registration
– Feedback / Rating
– Survey
– Blog post
– Appointment/Slot booking
27. CAPTCHA - Implementation
• Initiate a session for the page rendered
• Request for image
• Generate unique string randomly on server side
• Generate image with string embedded
• Remember the string in Session Object and send
CAPTCHA to client
• For each client request, validate the sent value with the
one in the session object
• Invalidate session after each attempt
– Both successful and unsuccessful
• Generate new CAPTCHA for each new page request
28. Insecure Implementation
• We are not focusing weakness of CAPTCHA
generation
– It’s a different ball game
• We will discuss common implementation
flaws of using CAPTCHA’s
29. 1. Verifying CAPTCHA on client side
• The client side JavaScript verifies the CAPTCHA
value
• Server trusts the decision of client
strPassFlag=True;
• Completely bypass enforcement
• Automate submission
30. 2. Having a limited set words
• Small fixed pool of CAPTCHA words
• Automated tools will have high probability of
hits
• Bypass goal of implementing CAPTCHA
31. What better than a COMBO
Limited pool of
CAPTCHA values with
client side verification
32. 3. Validate CAPTCHA on server but
value sent from client
• Actual value of CAPTCHA sent as hidden
variable
– Hmmmmm, “hidden” does not mean “secure”
• Replay request with value of our choice
33. 4. Session is not re-initialized
• Session not re-initialized after form
submission
• Refresh on submitted page works
• Automate replay of requests using assigned
session ID
• Multiple registrations
– Treasure trove for spammers
34. 5. Image ID can be replayed
• The request for image is of the form
• <img src =
http://www.testserver.com/image_draw.jsp?I
D=23erdfret45ffrsd4g3fd3sa3a4d5a
• The image_draw.jsp decrypts the value to get
the word
• For the same value the same word is rendered
ALWAYS
• Replay image request
35. Image ID can be replayed
Client Server
Step#1: Request for Public FORM
Step#2: Form with
<img src=http://…/image_draw.php?id=X1>
Step#4: Generate an image
Step#3: Request for Image based on unique token (X1) &
store in the session object.
Step#5: Form rendered with image
Step#7: Validation with string
Step#6: FORM Submission stored in the session object.
• Step 2 can be replayed
36. 6. CAPTCHA is not an image
• One application had a ‘feeling’ of an image
• Java Script used for rendering the text on the
page in a “different” font
• Tools can read such text easily
Text can be selected ☺
37. CAPTCHA implementation best
practices
CAPTCHA:
– Generated on server side
– Verified on server side
– Strings must be randomly generated
– Images must not be generated based on token
from ‘hidden’ client side
– Must be bound to a session
– Must be re-generated after each successful
/unsuccessful attempt
38. Caching Issues
• Unauthorized access to information
User Name CC No User
SB Account No Logged off
Password
Back
Submit Submit
Sign In
Sign Out
Login Account Details Thank You
39. Browser Cache
• A local store
– Aims to improve performance
– Renders pages locally, fast user experience
– Support across browsers
• Controlled by a lot many directives
– Pragma: no-cache
– Cache-control: no-cache
– Expires: Mon, 03 Jul 2000 9:30:41 GMT
40. Caching
• Relevant HTTP fields
• Request
o If-Modified-Since
o Pragma: no-cache
• Response
o Last-Modified
o Expires: Mon, 03 Apr 2009 9:30:41 GMT
o Cache-Control: no-cache, no-store
41. Caching
• Relevant HTTP fields
• Request
o If-Modified-Since – Recheck for fresh content
o Pragma: no-cache – HTTP 1.0
• Response
o Last-Modified – Confirm fresh content
o Expires: ………… – HTTP 1.0
o Cache-Control: no-cache – Pages will not be
displayed, but will still be stored
o Cache-Control: no-store – Pages will not be stored
42. Caching best practice
• For critical applications
• Cache-Control: no-cache and Cache-
Control: no-store must be set for ALL pages
43. Example Implementation flaw
• Banking application
– Ideally all pages must be fetched fresh
– Clicking on ‘back’ must not render page
– All pages set with Cache-Control: no-cache,
no-store
– excepting logout page
– On logout, an intermediate proxy used to
serve logout page
– Session was not invalidated as request did
not reach server