An Introduction to Web Application Security Class 3: Authentication & Session Management December 17th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks
This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process
Authentication / Authorization Authentication: confirming identity via password, shared secret, or asymmetric encryption key-pair, generally for the purposes of authorization access to protected resources. Authorization: once identify is established, determining whether the requestor has sufficient credentials to access a resource.
Session Management Transient state that is associated with a particular user or system, generally via cookies, but optionally with some other kind of token.
Common Authentication Vulnerabilities Clear text credentials transmission Passing credentials via GET Storage of passwords in clear text Storage of passwords in un-salted hash Hard-coded / default credentials Weak password rules Password reminders Use of weak hashing algorithms (SHA-1, MD-5)
Sidebar: Password Rules Hardware / Software Guesses / Second 4 Core Macbook Pro, Sloppy Java Implementation 1,000,000 5 Machine, 25 GPU Cluster 180,000,000,000 NSA Cluster ?????? Password Requirements Unique Pwds Mac hack Cluster Hack 5 character numeric 100,000 .1 seconds 0.0000005 seconds 5 character alphanumeric case sensitive 9.16 X 10^8 916 seconds .005 seconds 10 character alphanumeric case sensitive 8.39 X 10^17 26,000 years 54 days 10 character alphanumeric + symbols 6.65 X 10^19 2,108,170 years 11 years
Sidebar: Password Rules What happens if you make your password rules as follows? 20 characters At least 1 symbol, letter, and number Rotate every month
What’s the threat? Confidentiality ✓ Integrity ✓ Availability
Sidebar: What the heck is a salt SHA-256 hashes of passwords “Capt. P1card” -> Ed315bd08b0d5dc3a52f6b3bb9dad6a6f0a14b8a9256861aeef031c2a93e1f33 “Capt. P1card1234” -> 6578a06d64e0c58bcb219c8a835366350f87a6d9c8fbc290e3efc17ad5dd1fce “Capt. P1card4567” -> f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6
Sidebar: What the heck is a salt Username Hashed Password Salt User1 6578a06d64e0c58bcb219c8a835366350f87a6d9c8fbc290e3efc17ad5dd1fce 1234 User2 f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6 4567
https://github.com/danielsomerfield/app-sec-demo Authentication Demo Demo pages: http://appsec-demo.herokuapp.com/AppSecDemo/demo/ http://appsec-demo.herokuapp.com/AppSecDemo/demo/hackHash/<hash> Source code: https://github.com/danielsomerfield/app-sec-demo
Authentication Demo: Hashing asdf' UNION ALL SELECT id, username, password_hash, 1, 1, 1 FROM application_user --
Authentication Demo: Hashing https://appsec-demo.herokuapp.com/AppSecDemo/demo/hackHash/e24fa5f1901c2c38540e9adef2e3b0a1
Defending Against Authentication Vulnerabilities Use HTTPS people! Use POST and a default HTTP method in forms Salt and hash your passwords for storage with a strong and (yes you heard me) slow hashing algorithm Don’t hard-code passwords in your code If you MUST use password reminders, look for a secure second factor
Authentication Demo: Default Method
Default Form Methods <form id=“login-form” action=“login” method=“post”> <input type=“text” name=“username”… //More stuff here </form> $(“#login-form”).on(“submit”, function(){ //Post to login form…
Common Session Management Vulnerabilities Exposed session IDs Insufficiently random session IDs Unprotected session IDs Session fixation
Defending against Session Management Vulnerabilities Disable URL rewriting Use a sufficiently long random string for your session cookie value Invalidate server session on log out Short session timeouts Invalidate session after state change such as login or registration
Sidebar: User lockout policies Why user lockout doesn’t work and what to do about it
References OWASP Top 10 - A2 – Broken Auth & Session Management https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management OWASP Authentication Cheat Sheet https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Session Management Cheat Sheethttps://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Password Storage Cheat Sheethttps://www.owasp.org/index.php/Password_Storage_Cheat_Sheet 25-GPU cluster cracks every standard Windows password in <6 hourshttp://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Tomorrow December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process