An Introduction to Web Application Security

Slides:

Advertisements

Similar presentations

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Advertisements

SEC835 OWASP Top Ten Project.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

OWASP Mobile Top 10 Why They Matter and What We Can Do

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

OWASP Zed Attack Proxy Project Lead

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Remotely authenticating against the Service Framework.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

CIS 450 – Network Security Chapter 8 – Password Security.

Databases and security continued CMSC 461 Michael Wilson.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Lecture 11: Strong Passwords

Feedback #2 (under assignments) Lecture Code:

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Web Applications Testing By Jamie Rougvie Supported by.

Electronic Security Initiative 2005 Security Assessment & Security Services 23 August 2005.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 The SqlConnection Object ADO.NET - Lesson 02  Training time: 10 minutes 

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

CSCI 530 Lab Passwords. Overview Authentication Passwords Hashing Breaking Passwords Dictionary Hybrid Brute-Force Rainbow Tables Detection.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Web Applications Security Cryptography 1

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Introduction to Information Security

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Schemes for Session Passwords using Color and Images

Chapter One: Mastering the Basics of Security

Canberra OWASP Chapter meeting

World Wide Web policy.

Security in Django.

API Security Auditing Be Aware,Be Safe

Secure Software Confidentiality Integrity Data Security Authentication

WEB-API & MVC5 - Identity & Security

Cross-Site Forgery

Marking Scheme for Semantic-aware Web Application Security

Using SSL – Secure Socket Layer

An Introduction to Web Application Security

Web Systems Development (CSC-215)

Research for Cyber Security Warwick University Industry Day 2018

Website Security for Developers

PHP: Security issues FdSc Module 109 Server side scripting and

Riding Someone Else’s Wave with CSRF

Cookies and sessions Saturday, February 23, 2019Saturday, February 23,

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Exercise: Hashing, Password security, And File Integrity

CS5220 Advanced Topics in Web Programming Secure REST API

Session 1 – Introduction to Information Security

Presentation transcript:

An Introduction to Web Application Security Class 3: Authentication & Session Management December 17th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks

This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

Authentication / Authorization Authentication: confirming identity via password, shared secret, or asymmetric encryption key-pair, generally for the purposes of authorization access to protected resources. Authorization: once identify is established, determining whether the requestor has sufficient credentials to access a resource.

Session Management Transient state that is associated with a particular user or system, generally via cookies, but optionally with some other kind of token.

Common Authentication Vulnerabilities Clear text credentials transmission Passing credentials via GET Storage of passwords in clear text Storage of passwords in un-salted hash Hard-coded / default credentials Weak password rules Password reminders Use of weak hashing algorithms (SHA-1, MD-5)

Sidebar: Password Rules Hardware / Software Guesses / Second 4 Core Macbook Pro, Sloppy Java Implementation 1,000,000 5 Machine, 25 GPU Cluster 180,000,000,000 NSA Cluster ?????? Password Requirements Unique Pwds Mac hack Cluster Hack 5 character numeric 100,000 .1 seconds 0.0000005 seconds 5 character alphanumeric case sensitive 9.16 X 10^8 916 seconds .005 seconds 10 character alphanumeric case sensitive 8.39 X 10^17 26,000 years 54 days 10 character alphanumeric + symbols 6.65 X 10^19 2,108,170 years 11 years

Sidebar: Password Rules What happens if you make your password rules as follows? 20 characters At least 1 symbol, letter, and number Rotate every month

What’s the threat? Confidentiality ✓ Integrity ✓ Availability

Sidebar: What the heck is a salt SHA-256 hashes of passwords “Capt. P1card” -> Ed315bd08b0d5dc3a52f6b3bb9dad6a6f0a14b8a9256861aeef031c2a93e1f33 “Capt. P1card1234” -> 6578a06d64e0c58bcb219c8a835366350f87a6d9c8fbc290e3efc17ad5dd1fce “Capt. P1card4567” -> f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6

Sidebar: What the heck is a salt Username Hashed Password Salt User1 6578a06d64e0c58bcb219c8a835366350f87a6d9c8fbc290e3efc17ad5dd1fce 1234 User2 f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6 4567

https://github.com/danielsomerfield/app-sec-demo Authentication Demo Demo pages: http://appsec-demo.herokuapp.com/AppSecDemo/demo/ http://appsec-demo.herokuapp.com/AppSecDemo/demo/hackHash/<hash> Source code: https://github.com/danielsomerfield/app-sec-demo

Authentication Demo: Hashing asdf' UNION ALL SELECT id, username, password_hash, 1, 1, 1 FROM application_user --

Authentication Demo: Hashing https://appsec-demo.herokuapp.com/AppSecDemo/demo/hackHash/e24fa5f1901c2c38540e9adef2e3b0a1

Defending Against Authentication Vulnerabilities Use HTTPS people! Use POST and a default HTTP method in forms Salt and hash your passwords for storage with a strong and (yes you heard me) slow hashing algorithm Don’t hard-code passwords in your code If you MUST use password reminders, look for a secure second factor

Authentication Demo: Default Method

Default Form Methods <form id=“login-form” action=“login” method=“post”> <input type=“text” name=“username”… //More stuff here </form> $(“#login-form”).on(“submit”, function(){ //Post to login form…

Common Session Management Vulnerabilities Exposed session IDs Insufficiently random session IDs Unprotected session IDs Session fixation

Defending against Session Management Vulnerabilities Disable URL rewriting Use a sufficiently long random string for your session cookie value Invalidate server session on log out Short session timeouts Invalidate session after state change such as login or registration

Sidebar: User lockout policies Why user lockout doesn’t work and what to do about it

References OWASP Top 10 - A2 – Broken Auth & Session Management https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management OWASP Authentication Cheat Sheet https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Session Management Cheat Sheethttps://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Password Storage Cheat Sheethttps://www.owasp.org/index.php/Password_Storage_Cheat_Sheet 25-GPU cluster cracks every standard Windows password in <6 hourshttp://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

Tomorrow December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process