SlideShare a Scribd company logo

Session4-Authentication

Z
zakieh alizadeh

Table of Content Common Web Authentication Threats Common Weak Web Authentication Strategies Strategies For Strong Authentication

1 of 24
Download to read offline
Web Application Security (PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
Session 4 Authentication
Authentication  Scenarios :  Providing An Appropriate Authentication for CollegeAuthentication Library Website Table of Content  Common Web Authentication Threats  Common Weak Web Authentication Strategies  Strategies For Strong Authentication
Authentication Common Web Authentication Threats Common Weak Web Authentication Strategies Strategies For Strong Authentication
Authentication Defenition  Authentication and authorization are required for a Web page that should be limited to certain users.  Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. o the ownership factors: ID card,phone o the knowledge factors: password, personal identification number (PIN) o the inherence factors: Something the user is or does (e.g., fingerprint, DNA
Authentication Forms based authentication  Forms based authentication provides the web application designer the most control over theuser interface, and thus it is widely used.  Forms based authentication suffers from: o Clear text credentials o Weak password controls o Man in the middle attacks
Authentication  Threat Categorization STRIDE ::adversarial perspectiev Spoofing Tampering Repudition Information disclosure Elevation of privilage Denial of service ASF :: defensive perspective Data Protection in Storage and Transit Exception Management Data Validation Configuration Management Authorization Authentication Auditing & Logging
Authentication Attacker Testing Autentication Threats Desc Testing for Credentials transport over an encrypted channel  using secure protocols that protect them from an attacker or not Testing for user enumeration there are default user accounts Testing for bypassing authentication schema  by recognizing that not all of the application‘s resources are adequately protected. (-Session ID Prediction—sql injection )
Authentication Attacker Testing Autentication Threats Desc Testing for vulnerable Remember Password & pwd reset  best security is achieved if the password reset is done via an email how the application manages those process shows you the password Testing for CAPTCHA  questions have a very limited set of possible answers Testing for LOGOUT & Browser Cache Management  logout button is present and well visible  destroys all session token, or at least renders them unusable  A timeout is enforced and it is properly checked by the server
Authentication Weak Authentication Functionality  Failure to drop privileges when reasonable  Weak Passwords and password functionality  Using referer field for authentication or authorization  Using single-factor authentication in important systems  Transactions to be replayed or authorization tokens to be reused
Authentication UserName Management Vulnerability  Predictable Usernames : attackers can perform a denial of service o Firstname.Lastname o Any monotonically increasing number o E-mail address (unless the users are random enough) o Semi-public data, such as employee number, or simila  Don’t validate for HTML, SQL and LDAP Injection
Authentication Password Management Vulnerability  Weak Passwords  Empty String Password  Allowing password aging  Not allowing password aging  Weak Password Storage Strategies  Allows previous passwords to be chosen  Weak Cryptography-- Reversible password encryption
Authentication  Weak Passwords and password functionality  Passwords should be complex in composition  checks should be done on the backend/server side of the application  Simply checking that a password is not NULL is not sufficient:  Tip : operator == casts between two different types if they are different, while the === operator performs a 'typesafe comparison'. $pass=$_GET[‘pass’] If($pass===null) // echo error 1 === 1: true 1 == 1: true 1 === "1": false // 1 is an integer, "1" is a string 1 == "1": true // "1" gets casted to an integer, which is
Authentication Good Passwords Rules Reg ExP at least: 1 Uppercase character (A-Z) ^[a-z]$ at least: 1 Lowercase character (a-z) ^[A-Z]$ at least: 1 digit (0-9) ^[0-9]$ at least one special character (!"£$%&...) [!"£$%^&*()] a defined minimum length (8 chars) ^[a-z]{3,5}$ a defined maximum length (as with all external input) ^[a-z]{3,5}$ no contiguous characters (123abcd) not more than 2 identical characters in a row (1111) ^(([a-z0-9])2?(?!2))+$
Authentication Weak Password Storage Strategies  Passwords should be stored using a one-way hash algorithm.  Once passwords are persisted, there is not reason why they should be human-readable. The  Storing a hash of a password, which can not be reversed, makes it more difficult to recover the plain text passwords.  ensures that administration staff for an application does not have access to other users’ passwords.
Authentication Weak Password Storage Strategies  Salting: o A salt is a random number of a fixed length. o Storing simply hashed passwords has its issues o stored as clear text next to the hashed password:
Authentication  Code Reviw For Vulnerabilities Related To Autentication Threats Desc SQL Injection  bypass authentication functionality  add a malicious user to a system for future use. Data Validation  This also goes for authentication fields. XSS issues  to perform identity, Phishing, and session hijacking attacks Error Handling  Insight into valid and invalid user IDs  Giving insight into the database structure Hashing  Weak hash algorithms such as MD5 Brute Force/Dictionary Attack Determined brute force attacks cannot easily be defeated
Authentication Best Practices :  Passwords are trivially broken and are unsuitable for high value systems.  Re-authenticate the user for high value transactions and access to protected areas  Authentication is only as strong as your user management processes o non-repudiation, the more expensive the process.
Authentication  Passwords Best Practices :  Train your users as to suitable password construction  Encourage users to use pass phrases instead of passwords  Allow your users to write down their passwords as long as they keep them safe  passwords between 8 and 16 that cannot be easily cracked(expiry no less than 30 days  pass phrases above 16 characters probably do not need a hard expiry limit, but a gentle reminder after (say) 90 days instead.
Authentication  Change passwords :  Ensure your application has a change password function.  Use AUTOCOMPLETE=off to prevent browsers from caching the password locally  The form must include the old password, the new password and a confirmation of the new password  If the user gets the old password wrong too many times, lock the account and kill the session
Authentication Brute Force  Applications should be robust in the face of determined automated brute force and dictionary attack, such as from Brutus or custom scripts. Determined brute force attacks cannot easily be defeated, only delayed.  If the application allows more than five attempts from a single IP address, or a collection rate in excess of 10 requests a second, it’s likely that the application will fall to determined brute force attack.
Authentication  Brute Force Countermeasure  logs failed authentication attempts  A delay of three seconds can make automated brute force attacks almost infeasible.  Error message that does not disclose which part of the application credentials are incorrect.  for applications requiring stronger controls, blocking access from abusive IP addresses (accessing more than three accounts from the same IP address, or attempting to lock outmore than one account)
Authentication Browser remembers passwords  Modern browsers offer users the ability to manage their multitude of credentials by storing them insecurely on their computer.  In the rendered HTTP, send the following in any sensitive input fields, such as usernames,passwords, password re-validation, credit card and CCV fields, and so on: <form … AUTOCOMPLETE="off"> - for all form fields <input … AUTOCOMPLETE="off"> - for just one field
Authentication

Recommended

Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
zakieh alizadeh
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
zakieh alizadeh
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
zakieh alizadeh
 

Recommended

Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
zakieh alizadeh
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
zakieh alizadeh
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
zakieh alizadeh
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
Session9-File Upload Security
Session9-File Upload SecuritySession9-File Upload Security
Session9-File Upload Security
zakieh alizadeh
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
robin_bene
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 

More Related Content

What's hot

OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
ieee
ieeeieee
ieee
Radheshyam Dhakad
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
robin_bene
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
Katy Anton
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 

What's hot (20)

OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Web application security
Web application securityWeb application security
Web application security
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
ieee
ieeeieee
ieee
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 

Similar to Session4-Authentication

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Nazar Tymoshyk, CEH, Ph.D.
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & Management
Barrel Software
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
owasp-pune
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Jayasree Veliyath
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
C02
C02C02
C02
newbie2019
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
Wail Hassan
 
Web Application Security 101 - 06 Authentication
Web Application Security 101 - 06 AuthenticationWeb Application Security 101 - 06 Authentication
Web Application Security 101 - 06 Authentication
Websecurify
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
IJMER
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
IJERD Editor
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd Iaetsd
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
Burak DAYIOGLU
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
Rafidah Ariffin
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
Cedar Consulting
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 

Similar to Session4-Authentication (20)

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"
 
Mobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & ManagementMobile Application Security - Broken Authentication & Management
Mobile Application Security - Broken Authentication & Management
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013Steps to mitigate Top 5 OWASP Vulnerabilities 2013
Steps to mitigate Top 5 OWASP Vulnerabilities 2013
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
C02
C02C02
C02
 
Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)Module 13 (web based password cracking techniques)
Module 13 (web based password cracking techniques)
 
Web Application Security 101 - 06 Authentication
Web Application Security 101 - 06 AuthenticationWeb Application Security 101 - 06 Authentication
Web Application Security 101 - 06 Authentication
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication Protocol
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authentication
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
SecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password SolutionSecureOTP: Total One-Time-Password Solution
SecureOTP: Total One-Time-Password Solution
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 

More from zakieh alizadeh

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection
zakieh alizadeh
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Data
zakieh alizadeh
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
zakieh alizadeh
 
yii framework
yii frameworkyii framework
yii framework
zakieh alizadeh
 
Web security Contents
Web security ContentsWeb security Contents
Web security Contents
zakieh alizadeh
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Data
zakieh alizadeh
 
Introduce Yii
Introduce YiiIntroduce Yii
Introduce Yii
zakieh alizadeh
 

More from zakieh alizadeh (7)

Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection Session11-NoSQL InjectionPHP Injection
Session11-NoSQL InjectionPHP Injection
 
Session6-Protecct Sensetive Data
Session6-Protecct Sensetive DataSession6-Protecct Sensetive Data
Session6-Protecct Sensetive Data
 
Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers Session1-Introduce Http-HTTP Security headers
Session1-Introduce Http-HTTP Security headers
 
yii framework
yii frameworkyii framework
yii framework
 
Web security Contents
Web security ContentsWeb security Contents
Web security Contents
 
Validating and Sanitizing User Data
Validating and Sanitizing User DataValidating and Sanitizing User Data
Validating and Sanitizing User Data
 
Introduce Yii
Introduce YiiIntroduce Yii
Introduce Yii
 

Recently uploaded

Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 

Recently uploaded (20)

Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 

Session4-Authentication

  • 1. Web Application Security (PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
  • 3. Authentication  Scenarios :  Providing An Appropriate Authentication for CollegeAuthentication Library Website Table of Content  Common Web Authentication Threats  Common Weak Web Authentication Strategies  Strategies For Strong Authentication
  • 4. Authentication Common Web Authentication Threats Common Weak Web Authentication Strategies Strategies For Strong Authentication
  • 5. Authentication Defenition  Authentication and authorization are required for a Web page that should be limited to certain users.  Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. o the ownership factors: ID card,phone o the knowledge factors: password, personal identification number (PIN) o the inherence factors: Something the user is or does (e.g., fingerprint, DNA
  • 6. Authentication Forms based authentication  Forms based authentication provides the web application designer the most control over theuser interface, and thus it is widely used.  Forms based authentication suffers from: o Clear text credentials o Weak password controls o Man in the middle attacks
  • 7. Authentication  Threat Categorization STRIDE ::adversarial perspectiev Spoofing Tampering Repudition Information disclosure Elevation of privilage Denial of service ASF :: defensive perspective Data Protection in Storage and Transit Exception Management Data Validation Configuration Management Authorization Authentication Auditing & Logging
  • 8. Authentication Attacker Testing Autentication Threats Desc Testing for Credentials transport over an encrypted channel  using secure protocols that protect them from an attacker or not Testing for user enumeration there are default user accounts Testing for bypassing authentication schema  by recognizing that not all of the application‘s resources are adequately protected. (-Session ID Prediction—sql injection )
  • 9. Authentication Attacker Testing Autentication Threats Desc Testing for vulnerable Remember Password & pwd reset  best security is achieved if the password reset is done via an email how the application manages those process shows you the password Testing for CAPTCHA  questions have a very limited set of possible answers Testing for LOGOUT & Browser Cache Management  logout button is present and well visible  destroys all session token, or at least renders them unusable  A timeout is enforced and it is properly checked by the server
  • 10. Authentication Weak Authentication Functionality  Failure to drop privileges when reasonable  Weak Passwords and password functionality  Using referer field for authentication or authorization  Using single-factor authentication in important systems  Transactions to be replayed or authorization tokens to be reused
  • 11. Authentication UserName Management Vulnerability  Predictable Usernames : attackers can perform a denial of service o Firstname.Lastname o Any monotonically increasing number o E-mail address (unless the users are random enough) o Semi-public data, such as employee number, or simila  Don’t validate for HTML, SQL and LDAP Injection
  • 12. Authentication Password Management Vulnerability  Weak Passwords  Empty String Password  Allowing password aging  Not allowing password aging  Weak Password Storage Strategies  Allows previous passwords to be chosen  Weak Cryptography-- Reversible password encryption
  • 13. Authentication  Weak Passwords and password functionality  Passwords should be complex in composition  checks should be done on the backend/server side of the application  Simply checking that a password is not NULL is not sufficient:  Tip : operator == casts between two different types if they are different, while the === operator performs a 'typesafe comparison'. $pass=$_GET[‘pass’] If($pass===null) // echo error 1 === 1: true 1 == 1: true 1 === "1": false // 1 is an integer, "1" is a string 1 == "1": true // "1" gets casted to an integer, which is
  • 14. Authentication Good Passwords Rules Reg ExP at least: 1 Uppercase character (A-Z) ^[a-z]$ at least: 1 Lowercase character (a-z) ^[A-Z]$ at least: 1 digit (0-9) ^[0-9]$ at least one special character (!"£$%&...) [!"£$%^&*()] a defined minimum length (8 chars) ^[a-z]{3,5}$ a defined maximum length (as with all external input) ^[a-z]{3,5}$ no contiguous characters (123abcd) not more than 2 identical characters in a row (1111) ^(([a-z0-9])2?(?!2))+$
  • 15. Authentication Weak Password Storage Strategies  Passwords should be stored using a one-way hash algorithm.  Once passwords are persisted, there is not reason why they should be human-readable. The  Storing a hash of a password, which can not be reversed, makes it more difficult to recover the plain text passwords.  ensures that administration staff for an application does not have access to other users’ passwords.
  • 16. Authentication Weak Password Storage Strategies  Salting: o A salt is a random number of a fixed length. o Storing simply hashed passwords has its issues o stored as clear text next to the hashed password:
  • 17. Authentication  Code Reviw For Vulnerabilities Related To Autentication Threats Desc SQL Injection  bypass authentication functionality  add a malicious user to a system for future use. Data Validation  This also goes for authentication fields. XSS issues  to perform identity, Phishing, and session hijacking attacks Error Handling  Insight into valid and invalid user IDs  Giving insight into the database structure Hashing  Weak hash algorithms such as MD5 Brute Force/Dictionary Attack Determined brute force attacks cannot easily be defeated
  • 18. Authentication Best Practices :  Passwords are trivially broken and are unsuitable for high value systems.  Re-authenticate the user for high value transactions and access to protected areas  Authentication is only as strong as your user management processes o non-repudiation, the more expensive the process.
  • 19. Authentication  Passwords Best Practices :  Train your users as to suitable password construction  Encourage users to use pass phrases instead of passwords  Allow your users to write down their passwords as long as they keep them safe  passwords between 8 and 16 that cannot be easily cracked(expiry no less than 30 days  pass phrases above 16 characters probably do not need a hard expiry limit, but a gentle reminder after (say) 90 days instead.
  • 20. Authentication  Change passwords :  Ensure your application has a change password function.  Use AUTOCOMPLETE=off to prevent browsers from caching the password locally  The form must include the old password, the new password and a confirmation of the new password  If the user gets the old password wrong too many times, lock the account and kill the session
  • 21. Authentication Brute Force  Applications should be robust in the face of determined automated brute force and dictionary attack, such as from Brutus or custom scripts. Determined brute force attacks cannot easily be defeated, only delayed.  If the application allows more than five attempts from a single IP address, or a collection rate in excess of 10 requests a second, it’s likely that the application will fall to determined brute force attack.
  • 22. Authentication  Brute Force Countermeasure  logs failed authentication attempts  A delay of three seconds can make automated brute force attacks almost infeasible.  Error message that does not disclose which part of the application credentials are incorrect.  for applications requiring stronger controls, blocking access from abusive IP addresses (accessing more than three accounts from the same IP address, or attempting to lock outmore than one account)
  • 23. Authentication Browser remembers passwords  Modern browsers offer users the ability to manage their multitude of credentials by storing them insecurely on their computer.  In the rendered HTTP, send the following in any sensitive input fields, such as usernames,passwords, password re-validation, credit card and CCV fields, and so on: <form … AUTOCOMPLETE="off"> - for all form fields <input … AUTOCOMPLETE="off"> - for just one field