SlideShare a Scribd company logo

Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"

Dakiry
Dakiry

Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"

Business
1 of 61
AuthN and AuthZ How to stop confusing them and test effectively Diana Pinchuk
Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
Work at Very Good Security Organize QA Club Lviv Write on Medium About me
To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
It’s about security
A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP TOP 10 (2017)
OWASP API Security TOP 10 (2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN)
Even big companies fu*k up: Apple
Even big companies fu*k up: Reddit
How to distinguish?
Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
Authentication (AuthN)
Authentication In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
AuthN factors
MFA (Multi-factor authentication) Involves two or more authentication factors (something you know, something you have, or something you are)
MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification => avoid it!
MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification Reddit issue
Biometric AuthN
Single Sign-On (SSO) - Reduces password fatigue - Reduces IT costs - Less time spent re-entering passwords - Mitigates risk for access to 3rd-party sites
AuthN security
OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
Authorization (AuthZ)
Authorization Authorization is the function of specifying access rights/ privileges to resources
Access control mechanisms - Attribute-based access control (ABAC) - Role-based access control (RBAC) - User-based access control (UBAC) - Rule-based access control - Time-based access control ...and a lot more
RBAC
OAuth 2.0
OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service.
OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
Tokens Bearer token - anyone who carries the token has the right to use it.
Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
AuthZ security
OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References (IDOR)
Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
AuthN + AuthZ = IAM (Identity and Access Management)
Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
Practice time!
Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
Conclusions
Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
Practice before the next interview
Testing challenges http://testingchallenges.thetestingmap.org/index.php
Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/
Thanks! facebook.com/qaclublviv verygoodsecurity.com @diana_pinchuk @pinchuk.diana

Recommended

AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 

Recommended

AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formDiana Pinchuk
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeAlexandre Morgaut
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 201110n Software, LLC
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s cannersRashid Khatmey
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientDr.Sami Khiami
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

More Related Content

What's hot

Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Abhinav Sejpal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentationRashid Khatmey
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net FrameworkRamakanta Behera
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientDr.Sami Khiami
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 

What's hot (20)

Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2Owasp top 10 web application security hazards part 2
Owasp top 10 web application security hazards part 2
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Php security common 2011
Php security common 2011Php security common 2011
Php security common 2011
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Security In .Net Framework
Security In .Net FrameworkSecurity In .Net Framework
Security In .Net Framework
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Chapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The ClientChapter 5: Attack Execution - The Client
Chapter 5: Attack Execution - The Client
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 

Similar to Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QAFest
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIsSteven Chen
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocationguestd5dde6
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?centralohioissa
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop42Crunch
 

Similar to Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати" (20)

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.
 
Designing Secure APIs
Designing Secure APIsDesigning Secure APIs
Designing Secure APIs
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web API Security
Web API SecurityWeb API Security
Web API Security
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
UserCentric Identity based Service Invocation
UserCentric Identity based Service InvocationUserCentric Identity based Service Invocation
UserCentric Identity based Service Invocation
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?Kent King - PKI: Do You Know Your Exposure?
Kent King - PKI: Do You Know Your Exposure?
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
APIDays Paris Security Workshop
APIDays Paris Security WorkshopAPIDays Paris Security Workshop
APIDays Paris Security Workshop
 

More from Dakiry

НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯ
НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯНАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯ
НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯDakiry
 
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна Тіторенко
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна ТіторенкоМАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна Тіторенко
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна ТіторенкоDakiry
 
How to run a discovery workshop
How to run a discovery workshopHow to run a discovery workshop
How to run a discovery workshopDakiry
 
З понеділка йду на новий проект. The tester’s version - Олександра Зубаль
З понеділка йду на новий проект. The tester’s version - Олександра ЗубальЗ понеділка йду на новий проект. The tester’s version - Олександра Зубаль
З понеділка йду на новий проект. The tester’s version - Олександра ЗубальDakiry
 
Робота з текстом: від чернетки до опублікування
Робота з текстом: від чернетки до опублікуванняРобота з текстом: від чернетки до опублікування
Робота з текстом: від чернетки до опублікуванняDakiry
 
Контентна стратегія в ІТ: від статті до першого ліда
Контентна стратегія в ІТ: від статті до першого лідаКонтентна стратегія в ІТ: від статті до першого ліда
Контентна стратегія в ІТ: від статті до першого лідаDakiry
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Dakiry
 
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...Dakiry
 
Микола Солопій "Selenium рулить, однак..."
Микола Солопій "Selenium рулить, однак..."Микола Солопій "Selenium рулить, однак..."
Микола Солопій "Selenium рулить, однак..."Dakiry
 
Oleksandra Zubal "Project starters: test automation view"
Oleksandra Zubal "Project starters: test automation view"Oleksandra Zubal "Project starters: test automation view"
Oleksandra Zubal "Project starters: test automation view"Dakiry
 
Vladyslav Romanchenko "How to keep high code quality without e2e tests"
Vladyslav Romanchenko "How to keep high code quality without e2e tests"Vladyslav Romanchenko "How to keep high code quality without e2e tests"
Vladyslav Romanchenko "How to keep high code quality without e2e tests"Dakiry
 
Yuriy Malyi "E2E testing organization in multi-system projects"
Yuriy Malyi "E2E testing organization in multi-system projects"Yuriy Malyi "E2E testing organization in multi-system projects"
Yuriy Malyi "E2E testing organization in multi-system projects"Dakiry
 
Petro Tarasenko "You've become a TL. What's next?"
Petro Tarasenko "You've become a TL. What's next?" Petro Tarasenko "You've become a TL. What's next?"
Petro Tarasenko "You've become a TL. What's next?"Dakiry
 
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"Roman Yakymchuk "Дослідницьке тестування. Перезапуск"
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"Dakiry
 
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...Dakiry
 
Олексій Брошков "Мистецтво Дослідницького Тестування"
Олексій Брошков "Мистецтво Дослідницького Тестування"Олексій Брошков "Мистецтво Дослідницького Тестування"
Олексій Брошков "Мистецтво Дослідницького Тестування"Dakiry
 
Альона Тудан " Життя QA в ажурі"
Альона Тудан " Життя QA в ажурі"Альона Тудан " Життя QA в ажурі"
Альона Тудан " Життя QA в ажурі"Dakiry
 
Андрій Степура "Тренди в публічних виступах"
Андрій Степура "Тренди в публічних виступах"Андрій Степура "Тренди в публічних виступах"
Андрій Степура "Тренди в публічних виступах"Dakiry
 
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...Dakiry
 
Анатолій Лой Lessons Learned для БА по проекту "День турбот"
Анатолій Лой Lessons Learned для БА по проекту "День турбот"Анатолій Лой Lessons Learned для БА по проекту "День турбот"
Анатолій Лой Lessons Learned для БА по проекту "День турбот"Dakiry
 

More from Dakiry (20)

НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯ
НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯНАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯ
НАРЦИСИЗМ ЯК ПАСИВНЕ КУРІННЯ
 
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна Тіторенко
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна ТіторенкоМАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна Тіторенко
МАНІПУЛЯЦІЇ: ХТО КОГО І ДЛЯ ЧОГО? - Інна Тіторенко
 
How to run a discovery workshop
How to run a discovery workshopHow to run a discovery workshop
How to run a discovery workshop
 
З понеділка йду на новий проект. The tester’s version - Олександра Зубаль
З понеділка йду на новий проект. The tester’s version - Олександра ЗубальЗ понеділка йду на новий проект. The tester’s version - Олександра Зубаль
З понеділка йду на новий проект. The tester’s version - Олександра Зубаль
 
Робота з текстом: від чернетки до опублікування
Робота з текстом: від чернетки до опублікуванняРобота з текстом: від чернетки до опублікування
Робота з текстом: від чернетки до опублікування
 
Контентна стратегія в ІТ: від статті до першого ліда
Контентна стратегія в ІТ: від статті до першого лідаКонтентна стратегія в ІТ: від статті до першого ліда
Контентна стратегія в ІТ: від статті до першого ліда
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
 
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...
Stepan Shykerynets "Power of QA (A Journey: From Hell to Heaven. Story of gr...
 
Микола Солопій "Selenium рулить, однак..."
Микола Солопій "Selenium рулить, однак..."Микола Солопій "Selenium рулить, однак..."
Микола Солопій "Selenium рулить, однак..."
 
Oleksandra Zubal "Project starters: test automation view"
Oleksandra Zubal "Project starters: test automation view"Oleksandra Zubal "Project starters: test automation view"
Oleksandra Zubal "Project starters: test automation view"
 
Vladyslav Romanchenko "How to keep high code quality without e2e tests"
Vladyslav Romanchenko "How to keep high code quality without e2e tests"Vladyslav Romanchenko "How to keep high code quality without e2e tests"
Vladyslav Romanchenko "How to keep high code quality without e2e tests"
 
Yuriy Malyi "E2E testing organization in multi-system projects"
Yuriy Malyi "E2E testing organization in multi-system projects"Yuriy Malyi "E2E testing organization in multi-system projects"
Yuriy Malyi "E2E testing organization in multi-system projects"
 
Petro Tarasenko "You've become a TL. What's next?"
Petro Tarasenko "You've become a TL. What's next?" Petro Tarasenko "You've become a TL. What's next?"
Petro Tarasenko "You've become a TL. What's next?"
 
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"Roman Yakymchuk "Дослідницьке тестування. Перезапуск"
Roman Yakymchuk "Дослідницьке тестування. Перезапуск"
 
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...
Maryna Shulga "Mission Impossible. Впровадити тест процеси, якщо ніхто цього ...
 
Олексій Брошков "Мистецтво Дослідницького Тестування"
Олексій Брошков "Мистецтво Дослідницького Тестування"Олексій Брошков "Мистецтво Дослідницького Тестування"
Олексій Брошков "Мистецтво Дослідницького Тестування"
 
Альона Тудан " Життя QA в ажурі"
Альона Тудан " Життя QA в ажурі"Альона Тудан " Життя QA в ажурі"
Альона Тудан " Життя QA в ажурі"
 
Андрій Степура "Тренди в публічних виступах"
Андрій Степура "Тренди в публічних виступах"Андрій Степура "Тренди в публічних виступах"
Андрій Степура "Тренди в публічних виступах"
 
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...
Зоряна Борбулевич "Підхід, який трансформував компанію Microsoft: ННК і його...
 
Анатолій Лой Lessons Learned для БА по проекту "День турбот"
Анатолій Лой Lessons Learned для БА по проекту "День турбот"Анатолій Лой Lessons Learned для БА по проекту "День турбот"
Анатолій Лой Lessons Learned для БА по проекту "День турбот"
 

Recently uploaded

Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedKaiNexus
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadAyesha Khan
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 

Recently uploaded (20)

Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 

Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"

  • 1. AuthN and AuthZ How to stop confusing them and test effectively Diana Pinchuk
  • 2. Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
  • 3. Work at Very Good Security Organize QA Club Lviv Write on Medium About me
  • 4. To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
  • 6. A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP TOP 10 (2017)
  • 7. OWASP API Security TOP 10 (2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN)
  • 8. Even big companies fu*k up: Apple
  • 9. Even big companies fu*k up: Reddit
  • 11. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  • 12. Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
  • 14. Authentication In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
  • 15. AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
  • 17. MFA (Multi-factor authentication) Involves two or more authentication factors (something you know, something you have, or something you are)
  • 18. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification => avoid it!
  • 19. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification Reddit issue
  • 21.
  • 22.
  • 23. Single Sign-On (SSO) - Reduces password fatigue - Reduces IT costs - Less time spent re-entering passwords - Mitigates risk for access to 3rd-party sites
  • 25. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  • 26. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  • 27. Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
  • 28. Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
  • 30. Authorization Authorization is the function of specifying access rights/ privileges to resources
  • 31.
  • 32. Access control mechanisms - Attribute-based access control (ABAC) - Role-based access control (RBAC) - User-based access control (UBAC) - Rule-based access control - Time-based access control ...and a lot more
  • 33. RBAC
  • 34.
  • 36. OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service.
  • 37. OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
  • 38.
  • 39. Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
  • 40.
  • 41. Tokens Bearer token - anyone who carries the token has the right to use it.
  • 42. Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
  • 43.
  • 45. OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References (IDOR)
  • 46. Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
  • 47. AuthN + AuthZ = IAM (Identity and Access Management)
  • 48. Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
  • 49. IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
  • 51. Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
  • 52.
  • 53.
  • 55. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  • 56.
  • 57. Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
  • 58. Practice before the next interview
  • 60. Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/

Editor's Notes

  1. https://www.theguardian.com/technology/2017/nov/29/macos-high-sierra-bug-apple-mac-unlock-blank-password-security-flaw
  2. Checksum verification is also a part of AuthN Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. Common configurations: Kerberos-based Smart card based Integrated Windows Authentication SAML (Security Assertion Markup Language)
  3. Single Sign-On Network-based security limits where users can log in from, and when they can log in. This is different from user authentication, which only determines who can log in. Use network-based security to limit the window of opportunity for an attacker and to make it more difficult for an attacker to use stolen credentials. Restrict Where and When Users Can Log In You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access the system. Two-Factor Authentication Two-factor authentication is the most effective way to protect your org’s user accounts. Certificate-Based Authentication Custom Login Flows Login flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow when logging in.
  4. The knowledge factors: Something the user knows (e.g., a password, PIN) The ownership factors: Something the user has (ID card, cell phone holding a software token) The inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern)
  5. BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number,
  6. BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number, SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has. According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker. Advantages No additional tokens are necessary dynamically generated passcodes are safer to use Depending on the solution, passcodes that have been used are automatically replaced Disadvantages Users may still be susceptible to phishing attacks Mobile phone are not always available SIM cloning gives hackers access to mobile phone connections. Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Account recovery typically bypasses mobile-phone two-factor authentication. Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor. Mobile carriers may charge the user for messaging fees.
  7. BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number, SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has. According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker. Advantages No additional tokens are necessary dynamically generated passcodes are safer to use Depending on the solution, passcodes that have been used are automatically replaced Disadvantages Users may still be susceptible to phishing attacks Mobile phone are not always available SIM cloning gives hackers access to mobile phone connections. Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Account recovery typically bypasses mobile-phone two-factor authentication. Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor. Mobile carriers may charge the user for messaging fees.
  8. Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.
  9. SSO - log in with a single ID and password to gain access to any of several related systems
  10. OWASP Testing guide security Credentials Transported over an Encrypted Channel HTTP instead of HTTPS, redirect should be set up as well Default credentials admin/admin for example Weak lock out mechanism Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc Bypassing Authentication Schema For example, skip the log in page Vulnerable Remember Password For example, check the passwords stored in a cookie. Check hashing mechanism etc Browser cache weakness Any senstive data shouldn’t be cached Weak password policy Don’t allow ‘qwerty’ Weak security question/answer Pre-generated standard questions are error prone and could lead to the password theft Weak password change or reset functionalities Can a user change the password of another user? Is the password reset page vulnerable to CSRF? Weaker authentication in alternative channel Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
  11. OWASP Testing guide security Credentials Transported over an Encrypted Channel HTTP instead of HTTPS, redirect should be set up as well Default credentials admin/admin for example Weak lock out mechanism Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc Bypassing Authentication Schema For example, skip the log in page Vulnerable Remember Password For example, check the passwords stored in a cookie. Check hashing mechanism etc Browser cache weakness Any senstive data shouldn’t be cached Weak password policy Don’t allow ‘qwerty’ Weak security question/answer Pre-generated standard questions are error prone and could lead to the password theft Weak password change or reset functionalities Can a user change the password of another user? Is the password reset page vulnerable to CSRF? Weaker authentication in alternative channel Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
  12. BTW, quantum computing is coming
  13. To authorize is to define an access policy.
  14. It’s not even a single protocol, the spec is split between multiple definitions and protocols. OAuth is about how to get the token and how to use the token OAuth is a delegation protocol that provides authZ across systems OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems It enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
  15. OAuth is about how to get the token and how to use the token OAuth is a delegation protocol that provides authZ across systems OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems
  16. Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope. Bearer token - anyone who carries the token has the right to use it. Bearer tokens have particular security properties. OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource. The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
  17. Refresh token
  18. Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope. Bearer token - anyone who carries the token has the right to use it. Bearer tokens have particular security properties. OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource. The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
  19. Scopes only come into play in delegation scenarios, and always limit what an app can do on behalf of a user: a scope cannot allow an application to do more than what the user can do A set of rights at the protected resource. Scopes are defined by the protected resource, based on the API that it’s offering. Client can request certain scopes, and the AuthZ server can allow the resource owner to grant or deny particular scopes to a given client during its request.
  20. Directory traversal/file include Read or write files that are not intended to be accessible. Try to reach the file system, check the file extensions, form params etc Bypassing Authorization Schema Access resources without a privilege, access resources after logout etc Privilege escalation Use admin privilege Insecure Direct Object References (IDOR) Modify a parameter and try to access an object
  21. There are multiple components in an IAM system: provisioning (or on-boarding), accounts management, identity governance, identification (or authentication), access control (or authorization) and identity federation. IAM is a broad area, so the above components can be further divided. For example, provisioning talks about inbound/outbound provisioning of user accounts, just-in-time provisioning, approval workflows — accounts management talks about privileged accounts management, credential management, users/groups/roles management — identity governance talks about role engineering, identity analytics, segregation of duties, role consolidation, identity delegation, attestation, reporting, self-service, risk management, compliance — authentication talks about multi-factor authentication, adaptive/risk-based authentication — access control talks about access control based on attributes or roles and policies — identity federation talks about single sign on, single log out, session management, attribute sharing
  22. Keycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services. Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.