2. ToC
• Definition.
• Impact.
• Environments Affected.
• BA-SM in the wiled.
• Demo time.
• How to Protect Yourself.
• Warp Up.
• Q & A.
2
3. Definition
Authentication is the process of
verification that an individual or an entity is
who it claims to be. (by submitting a user
name or ID and one or more items of private
information that only a given user should
know).
Session Management is a process by
which a server maintains the state of an
entity interacting with it. (by a session
identifier)
3
5. Impact
May allow some or even all accounts to
be attacked.
Once successful, the attacker can do
anything the victim could do.
#Privileged accounts are frequently
targeted.
5
6. Environments Affected
All known web servers, application
servers, and web application environments
are susceptible to broken authentication
and session management issues.
6
7. //BAD - DON'T USE
public boolean login(String username, String
password)
{
boolean isAuthenticated = true;
try {
//make calls to backend to actually perform login
against datastore
if (! authenticationSuccess) {
isAuthenticated = false;
}
}
catch (Exception e)
{ //handle exc }
return isAuthenticated;
}
7
8. In the wield..
- Timeouts.
- ID in URL.
- Credential Storage.
Methodologies: XSS, CSRF (Session
riding attack), SQL injection, Session
fixation….
8
10. How to Protect Yourself
Don’t implement it by your self, OR
Define , Document, Enforce clear site’s
policy, THEN
Check this critical areas:
“It is foolish to think that you’ll do better
on your first try”.
10
11. Prevention Cont.
Passwords (Strength, Use, Change
Controls, Recover and Storage).
Protecting Credentials in Transit.
Session ID Protection.
Account Lists.
Browser Caching.
Trust Relationships.
11
12. OWASP Recommended
Meet all requirements defined in
OWASP’s ASVS areas V2 (Authentication)
and V3 (Session Management).
Have a simple interface for developers.
Consider the ESAPI Authenticator and User
APIs as good examples to emulate, use, or
build upon.
12
15. Ref.
• ASVS requirements areas for Authentication (V2) and
Session Management (V3)
• OWASP Authentication Cheat Sheet
• ESAPI Authenticator API
• ESAPI User API
• OWASP Development Guide: Chapter on authentication
• OWASP Testing Guide: Chapter on Authentication
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.