12. Boring theory
Authentication is the process of ascertaining that somebody
really is who they claim to be.
Authorization refers to rules that determine who is allowed
to do what.
14. Authentication
In contrast with identification, the act of indicating a person or
thing's identity, authentication is the process of verifying that
identity.
15. AuthN spectrum
- Passwords
- Cookies
- Single Sign-On
- Restrict Where and When Users Can Log In
- Two-Factor Authentication
- Certificate-Based Authentication
- Network-based security
23. Single Sign-On (SSO)
- Reduces password fatigue
- Reduces IT costs
- Less time spent re-entering passwords
- Mitigates risk for access to 3rd-party sites
25. OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10.Weaker authentication in alternative channel
26. OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials Apple issue
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10.Weaker authentication in alternative channel
27. Rainbow tables attack
Huge databases of precomputed hashes
User Password Password hash (SHA1)
Alice password 5baa61e4c9b93f3f0682250b6cf8331b
7ee68fd8
Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5
7197be24
Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28
8944539
James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f
eac81bff
28. Useful links
OWASP cheat sheet http://bit.ly/2NuEqEq
Have I been pwned https://haveibeenpwned.com/
Great self-security checklist from Volodymyr Styran
https://github.com/sapran/dontclickshit
32. Access control mechanisms
- Attribute-based access control (ABAC)
- Role-based access control (RBAC)
- User-based access control (UBAC)
- Rule-based access control
- Time-based access control
...and a lot more
36. OAuth 2.0
It’s an authorization delegation protocol, letting someone who
controls the a recourse allow a software application to access that
resource on their behalf without impersonating them.
It enables a third-party application to obtain limited access to an
HTTP service.
37. OAuth 2.0 is
...about how to get the token and how to use the token
...replaces the password-sharing antipattern with a delegation
protocol that’s simultaneously more secure and more usable
...focused on a small set of problems and solving them well
38.
39. Tokens
Access token - indicates the rights that the client has been
delegated. Have an option to expire automatically
Refresh token - get new access token without asking for
authorization again.
42. Scopes
A set of rights at the protected resource.
Scopes always limit what an app can do
on behalf of a user
https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
47. AuthN + AuthZ = IAM
(Identity and Access
Management)
48. Access Management
Authentication
● Single Sign-On
● Session Management
● Password Service
● Strong Authentication
Authorization
● Role-Based
● Rule-Based
● Attribute-Based
● Remote Authorization
User Management
● Delegated Administration
● User and Role Management
● Provisioning
● Password Management
● Self Service
Central User Repository
● Directory
● Data Synchronization
● Meta Directory
● Virtual Directory
Identity Management
Identity and Access
Management (IAM):
Providing the right people with
the right access at the right
time
49. IAM best practices
- Immutable Private Identifiers / Mutable Public Identifiers
- Decouple Biometrics from other PII
- Externalize Access Control Rules
- Self-Expressive Credentials
- Privilege Accounts are a Different Species
https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
57. Conclusions
For better understanding dig into system
Use heuristics to remember smth
Use cheat sheets and don’t trust your memory
Update your passwords and turn on MFA today
Checksum verification is also a part of AuthN
Authentication is the act of proving an assertion, such as the identity of a computer system user.
In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
Common configurations:
Kerberos-based
Smart card based
Integrated Windows Authentication
SAML (Security Assertion Markup Language)
Single Sign-On
Network-based security limits where users can log in from, and when they can log in. This is different from user authentication, which only determines who can log in. Use network-based security to limit the window of opportunity for an attacker and to make it more difficult for an attacker to use stolen credentials.
Restrict Where and When Users Can Log InYou can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access the system.
Two-Factor AuthenticationTwo-factor authentication is the most effective way to protect your org’s user accounts.
Certificate-Based Authentication
Custom Login FlowsLogin flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow when logging in.
The knowledge factors: Something the user knows (e.g., a password, PIN)
The ownership factors: Something the user has (ID card, cell phone holding a software token)
The inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern)
BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number,
BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number,
SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has.According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker.
Advantages
No additional tokens are necessary
dynamically generated passcodes are safer to use
Depending on the solution, passcodes that have been used are automatically replaced
Disadvantages
Users may still be susceptible to phishing attacks
Mobile phone are not always available
SIM cloning gives hackers access to mobile phone connections.
Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers.
Account recovery typically bypasses mobile-phone two-factor authentication.
Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor.
Mobile carriers may charge the user for messaging fees.
BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number,
SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has.According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker.
Advantages
No additional tokens are necessary
dynamically generated passcodes are safer to use
Depending on the solution, passcodes that have been used are automatically replaced
Disadvantages
Users may still be susceptible to phishing attacks
Mobile phone are not always available
SIM cloning gives hackers access to mobile phone connections.
Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers.
Account recovery typically bypasses mobile-phone two-factor authentication.
Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor.
Mobile carriers may charge the user for messaging fees.
Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.
SSO - log in with a single ID and password to gain access to any of several related systems
OWASP Testing guide security
Credentials Transported over an Encrypted Channel
HTTP instead of HTTPS, redirect should be set up as well
Default credentials
admin/admin for example
Weak lock out mechanism
Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc
Bypassing Authentication Schema
For example, skip the log in page
Vulnerable Remember Password
For example, check the passwords stored in a cookie. Check hashing mechanism etc
Browser cache weakness
Any senstive data shouldn’t be cached
Weak password policy
Don’t allow ‘qwerty’
Weak security question/answer
Pre-generated standard questions are error prone and could lead to the password theft
Weak password change or reset functionalities
Can a user change the password of another user? Is the password reset page vulnerable to CSRF?
Weaker authentication in alternative channel
Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
OWASP Testing guide security
Credentials Transported over an Encrypted Channel
HTTP instead of HTTPS, redirect should be set up as well
Default credentials
admin/admin for example
Weak lock out mechanism
Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc
Bypassing Authentication Schema
For example, skip the log in page
Vulnerable Remember Password
For example, check the passwords stored in a cookie. Check hashing mechanism etc
Browser cache weakness
Any senstive data shouldn’t be cached
Weak password policy
Don’t allow ‘qwerty’
Weak security question/answer
Pre-generated standard questions are error prone and could lead to the password theft
Weak password change or reset functionalities
Can a user change the password of another user? Is the password reset page vulnerable to CSRF?
Weaker authentication in alternative channel
Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
BTW, quantum computing is coming
To authorize is to define an access policy.
It’s not even a single protocol, the spec is split between multiple definitions and protocols.
OAuth is about how to get the token and how to use the token
OAuth is a delegation protocol that provides authZ across systems
OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable
OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems
It enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
OAuth is about how to get the token and how to use the token
OAuth is a delegation protocol that provides authZ across systems
OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable
OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems
Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically
Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope.
Bearer token - anyone who carries the token has the right to use it.
Bearer tokens have particular security properties.OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource.
The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
Refresh token
Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically
Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope.
Bearer token - anyone who carries the token has the right to use it.
Bearer tokens have particular security properties.OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource.
The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
Scopes only come into play in delegation scenarios, and always limit what an app can do on behalf of a user: a scope cannot allow an application to do more than what the user can do
A set of rights at the protected resource.
Scopes are defined by the protected resource, based on the API that it’s offering.
Client can request certain scopes, and the AuthZ server can allow the resource owner to grant or deny particular scopes to a given client during its request.
Directory traversal/file include
Read or write files that are not intended to be accessible. Try to reach the file system, check the file extensions, form params etc
Bypassing Authorization Schema
Access resources without a privilege, access resources after logout etc
Privilege escalation
Use admin privilege
Insecure Direct Object References (IDOR)
Modify a parameter and try to access an object
There are multiple components in an IAM system: provisioning (or on-boarding), accounts management, identity governance, identification (or authentication), access control (or authorization) and identity federation. IAM is a broad area, so the above components can be further divided. For example, provisioning talks about inbound/outbound provisioning of user accounts, just-in-time provisioning, approval workflows — accounts management talks about privileged accounts management, credential management, users/groups/roles management — identity governance talks about role engineering, identity analytics, segregation of duties, role consolidation, identity delegation, attestation, reporting, self-service, risk management, compliance — authentication talks about multi-factor authentication, adaptive/risk-based authentication — access control talks about access control based on attributes or roles and policies — identity federation talks about single sign on, single log out, session management, attribute sharing
Keycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services.
Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.