Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byBruce Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP http://www.owasp.org 5 ways to lose your users’ Passwords By Shalini Gupta Runa Dwibedi Paladion Networks

2 OWASP Stealing password using Browser “Refresh” Browser memory Remember feature Forget password feature SQL injection

3 OWASP Browser “Refresh” #1

4 OWASP Browser’s “Refresh” Browsers store  Headers, ‘POST’ variables sent to web server while fetching a page When a ‘Refresh’ button is clicked, the request to load the current page is re-submitted to server.

5 OWASP Pre-requisite User leaves the browser window open Adversary gets physical access to the machine.

6 OWASP Step 1: Bob logged out of the application but did not close the browser. You have been logged You have been successfully logged out.

7 OWASP Step 2: Alice gains access to his machine. She clicks ‘Back’ button on the browser till she reaches the immediate page after login

8 OWASP Step 3: Alice clicks ‘Refresh’ button to load this page

9 OWASP Step4: Alice clicks ‘Retry’ on the pop up by browser and she gets logged in as BOB

10 OWASP Step 5: Alice intercepts this request with the web proxy, she is able to see Bob’s username & password

11 OWASP Solutions Introduce an intermediate page Use salted hash technique

12 OWASP Under the hood www.website.com/Myhome.asp POST Login ID+Password www.website.com/Myhome.asp POST Login ID+Password BrowserServer Intercept Myhome.asp authenticates the user and is displayed to user Login.asp Myhome.asp

13 OWASP Intermediate Page Solution Redirect to Myhome.asp POST Login ID+Password Get Myhome.asp Browser Server Intercept www.website.com/Myhome.asp Get Myhome.asp Authentication.asp Verify the authentication token and serve the Myhome.asp page Set an authentication token Verifies the authentication token and invalidates the request Login.asp Authenticates the user and assigns session token Myhome.asp

14 OWASP Browser Memory #2

15 OWASP Browser Memory Username and password submitted through web page are stored in the browser memory

16 OWASP Pre-requisite User leaves the browser window open after logging out. Adversary gets physical access to the machine.

17 OWASP Step 1: Bob logged out of the application but did not close the browser You have been successfully logged out.

18 OWASP Step 2: Alice views Browser memory and locates the credentials

19 OWASP Solution The variable containing the clear text password should be reset immediately after logon Use salted hash technique

20 OWASP Remember feature #3

21 OWASP Two ways Through the application “Remember my login” option  Saves a special cookie Through the built-in feature of the browser  Browser stores username-password on hard drive at particular locations

22 OWASP Pre-requisite User activates features to remember login credentials. Adversary gets physical access to the machine.

23 OWASP The Attack - App. feature Step 1: Bob logged out of application and closed the browser too. Step 2: Alice gains access to his machine. She - views cookie file in the local machine. - She uses login credentials to log into the application OR - She overwrites her authentication token with Bob’s token in her cookie file at her system.

24 OWASP The Attack – Browser feature Bob turned IE/firefox browser to save password

25 OWASP Firefox user - Bob had turned firefox browser to save password through ‘Remember passwords’

26 OWASP While logging to the application the browser prompted with a dialog to save password and Bob chose “Yes”

27 OWASP Step1: Alice gains access to his machine. She retrieves the password from the stored location. Alice clicks FireFox- Alice can view Bob’s password in clear text!

28 OWASP IE stores them encrypted… Location : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW Alice can still retrieve Bob’s password

29 OWASP Solution For "Remember My Login" The authentication details/token should not be stored in plain text For "Remember password" Add the following code - for password field Display warning message about insecurities involved in a shared computer environment. Use workarounds For E.g. Small JavaScript snippets.

30 OWASP Forget Password Feature #4

31 OWASP The 3 ways to exploit Using Hidden Fields Using variables in URL Using Improper process

32 OWASP Hidden Fields #4.1

33 OWASP Hidden Fields Hidden Form Fields represent a convenient way to store data in the browser and are one of the most common ways of carrying data.

34 OWASP Pre-requisite Adversary knows a valid username

35 OWASP Step 1: Alice accesses the Forgot password page Hidden field populated by username paladiontest

36 OWASP Step 2: Alice sets a new password and changes the username to bob’s and clicks on Login Username in hidden field is changed from paladiontest to paladiontest1

37 OWASP Alice changed Bob’s password Your password has been changed.

38 OWASP Solution No critical data should be stored in hidden fields. The application should link the user Id to the session information of the user.

39 OWASP Variables in URL #4.2

40 OWASP Variables in URL Applications send parameters through the query string.

41 OWASP Pre-requisite Adversary knows a valid username

42 OWASP Step 1: Alice accesses the forget password page using web proxy Username in URL She inputs a new password and clicks ‘submit’

43 OWASP Step 2: Alice intercepts the request through proxy Username in request

44 OWASP Step 3: Alice changes the username to Bob Username changed to bob

45 OWASP Solution No critical data should be sent in query string. The application should link the user Id to the session information of the user.

46 OWASP Improper Processes #4.3

47 OWASP Improper Processes Different ways to implement forgot password feature Secret question User details

48 OWASP Pre-requisite Social Engineering techniques are applied

49 OWASP Step 1: Alice inputs bob’s name into the username field and clicks on the Forgot password link.

50 OWASP Step 2: Alice fills Bob’s information

51 OWASP Step 3: Alice enters the guessed answer

52 OWASP The new password

53 OWASP Solution Short lived, one time use, SSL enabled link mailed to user

54 OWASP SQL Injection #5

55 OWASP The SQL Injection A well known attack Specially crafted input manipulates SQL Query Attackers can manipulate the database

56 OWASP Step 1: Alice logs in and accesses the Change password page Enter the string test123‘;-- in the new Password field

57 OWASP The Attack The password is reset for all users. The query UPDATE SET Password = ‘test123’;--’ WHERE Username = ‘alice’ and old_Password = ‘alice123’

58 OWASP Solution Strong input validation Maintain a white list Parameterized queries Parameterized stored procedures

59 OWASP Thank You!!

Download ppt "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Live Excel PRESENTER: Brad Leupen | CTO, Entrinsik | 10-11-2010.

Live Excel PRESENTER: Brad Leupen | CTO, Entrinsik |
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Secure Remote Viewer (SRV) User Guide. Training Content Log In Set-up Site Access Infant Search.

Secure Remote Viewer (SRV) User Guide. Training Content Log In Set-up Site Access Infant Search.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
PHP Security.

PHP Security.

Similar presentations

Ads by Google