Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Similar presentations


Presentation on theme: "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP 5 ways to lose your users’ Passwords By Shalini Gupta Runa Dwibedi Paladion Networks

2 OWASP Stealing password using Browser “Refresh” Browser memory Remember feature Forget password feature SQL injection

3 OWASP Browser “Refresh” #1

4 OWASP Browser’s “Refresh” Browsers store  Headers, ‘POST’ variables sent to web server while fetching a page When a ‘Refresh’ button is clicked, the request to load the current page is re-submitted to server.

5 OWASP Pre-requisite User leaves the browser window open Adversary gets physical access to the machine.

6 OWASP Step 1: Bob logged out of the application but did not close the browser. You have been logged You have been successfully logged out.

7 OWASP Step 2: Alice gains access to his machine. She clicks ‘Back’ button on the browser till she reaches the immediate page after login

8 OWASP Step 3: Alice clicks ‘Refresh’ button to load this page

9 OWASP Step4: Alice clicks ‘Retry’ on the pop up by browser and she gets logged in as BOB

10 OWASP Step 5: Alice intercepts this request with the web proxy, she is able to see Bob’s username & password

11 OWASP Solutions Introduce an intermediate page Use salted hash technique

12 OWASP Under the hood POST Login ID+Password POST Login ID+Password BrowserServer Intercept Myhome.asp authenticates the user and is displayed to user Login.asp Myhome.asp

13 OWASP Intermediate Page Solution Redirect to Myhome.asp POST Login ID+Password Get Myhome.asp Browser Server Intercept Get Myhome.asp Authentication.asp Verify the authentication token and serve the Myhome.asp page Set an authentication token Verifies the authentication token and invalidates the request Login.asp Authenticates the user and assigns session token Myhome.asp

14 OWASP Browser Memory #2

15 OWASP Browser Memory Username and password submitted through web page are stored in the browser memory

16 OWASP Pre-requisite User leaves the browser window open after logging out. Adversary gets physical access to the machine.

17 OWASP Step 1: Bob logged out of the application but did not close the browser You have been successfully logged out.

18 OWASP Step 2: Alice views Browser memory and locates the credentials

19 OWASP Solution The variable containing the clear text password should be reset immediately after logon Use salted hash technique

20 OWASP Remember feature #3

21 OWASP Two ways Through the application “Remember my login” option  Saves a special cookie Through the built-in feature of the browser  Browser stores username-password on hard drive at particular locations

22 OWASP Pre-requisite User activates features to remember login credentials. Adversary gets physical access to the machine.

23 OWASP The Attack - App. feature Step 1: Bob logged out of application and closed the browser too. Step 2: Alice gains access to his machine. She - views cookie file in the local machine. - She uses login credentials to log into the application OR - She overwrites her authentication token with Bob’s token in her cookie file at her system.

24 OWASP The Attack – Browser feature Bob turned IE/firefox browser to save password

25 OWASP Firefox user - Bob had turned firefox browser to save password through ‘Remember passwords’

26 OWASP While logging to the application the browser prompted with a dialog to save password and Bob chose “Yes”

27 OWASP Step1: Alice gains access to his machine. She retrieves the password from the stored location. Alice clicks FireFox- Alice can view Bob’s password in clear text!

28 OWASP IE stores them encrypted… Location : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW Alice can still retrieve Bob’s password

29 OWASP Solution For "Remember My Login" The authentication details/token should not be stored in plain text For "Remember password" Add the following code - for password field Display warning message about insecurities involved in a shared computer environment. Use workarounds For E.g. Small JavaScript snippets.

30 OWASP Forget Password Feature #4

31 OWASP The 3 ways to exploit Using Hidden Fields Using variables in URL Using Improper process

32 OWASP Hidden Fields #4.1

33 OWASP Hidden Fields Hidden Form Fields represent a convenient way to store data in the browser and are one of the most common ways of carrying data.

34 OWASP Pre-requisite Adversary knows a valid username

35 OWASP Step 1: Alice accesses the Forgot password page Hidden field populated by username paladiontest

36 OWASP Step 2: Alice sets a new password and changes the username to bob’s and clicks on Login Username in hidden field is changed from paladiontest to paladiontest1

37 OWASP Alice changed Bob’s password Your password has been changed.

38 OWASP Solution No critical data should be stored in hidden fields. The application should link the user Id to the session information of the user.

39 OWASP Variables in URL #4.2

40 OWASP Variables in URL Applications send parameters through the query string.

41 OWASP Pre-requisite Adversary knows a valid username

42 OWASP Step 1: Alice accesses the forget password page using web proxy Username in URL She inputs a new password and clicks ‘submit’

43 OWASP Step 2: Alice intercepts the request through proxy Username in request

44 OWASP Step 3: Alice changes the username to Bob Username changed to bob

45 OWASP Solution No critical data should be sent in query string. The application should link the user Id to the session information of the user.

46 OWASP Improper Processes #4.3

47 OWASP Improper Processes Different ways to implement forgot password feature Secret question User details

48 OWASP Pre-requisite Social Engineering techniques are applied

49 OWASP Step 1: Alice inputs bob’s name into the username field and clicks on the Forgot password link.

50 OWASP Step 2: Alice fills Bob’s information

51 OWASP Step 3: Alice enters the guessed answer

52 OWASP The new password

53 OWASP Solution Short lived, one time use, SSL enabled link mailed to user

54 OWASP SQL Injection #5

55 OWASP The SQL Injection A well known attack Specially crafted input manipulates SQL Query Attackers can manipulate the database

56 OWASP Step 1: Alice logs in and accesses the Change password page Enter the string test123‘;-- in the new Password field

57 OWASP The Attack The password is reset for all users. The query UPDATE SET Password = ‘test123’;--’ WHERE Username = ‘alice’ and old_Password = ‘alice123’

58 OWASP Solution Strong input validation Maintain a white list Parameterized queries Parameterized stored procedures

59 OWASP Thank You!!


Download ppt "Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations


Ads by Google