ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Chapter 6 Attacking Authentication
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Attacking Session Management Juliette Lessing
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Strong Password Protocols
Session 11: Security with ASP.NET
3/26/2003Servlet Security 1 CSCI Research Topics in Computer Science --Web Security Instructor: Dr.Yang Students: Shiyou Li, Gang Zheng.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.
CSC 2720 Building Web Applications Web Application Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Lecture 11: Strong Passwords
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Feedback #2 (under assignments) Lecture Code:
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Module 2: Consumer Experience Intuit Financial Services University Internet Banking Certification Training.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.
Module 11: Securing a Microsoft ASP.NET Web Application.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
©SoftMooreSlide 1 Introduction to HTML: Forms ©SoftMooreSlide 2 Forms Forms provide a simple mechanism for collecting user data and submitting it to.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Standard Operating Procedure
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Secure Software Confidentiality Integrity Data Security Authentication
PPP – Point to Point Protocol
Affinity Program | Client Approved Copy| Native App Landing Page
Phishing is a form of social engineering that attempts to steal sensitive information.
Multi-Factor Authentication (MFA)
Multifactor Authentication & First Time Login
Introduction to Computers
Cross Site Request Forgery (CSRF)
Presentation transcript:

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012

Authentication is Everywhere Probably the simplest security mechanisms within web applications Front line of defense against malicious attack Widely used technology: HTML forms-based authentication You might use it every day! (username + password)

Other Authentication Technologies Multi-factor mechanisms Client SSL certificates and/or smartcards HTTP basic and digest authentication Windows-integrated authentication Authentication services

It Could Be the Achilles’ Heel As Well You think your password is strong enough? You think using https to transmit your login information is secure enough? Probably NOT! Authentication might be the weakest link within the whole application

Two Major Flaws in Authentication Design flaws Authentication functionality is subject to more design weakness than any other security mechanism employed in web applications Implementation flaws Even a well-designed authentication mechanism may be highly insecure due to mistakes made in its implementation

Design Flaws Something you did not think it can be a vulnerability Verbose Failure Messages - gives attackers lots of information to collect Vulnerable Transmission of Credentials Password Change Functionality Forgotten Password Functionality Incomplete Validation of Credentials

Verbose Failure Messages Error messages can have much information for attackers to harvest

Verbose Failure Messages This vulnerability can be in more subtle ways Error messages might be the same for both valid and invalid usernames, but there might be some differences hidden in HTML source (comments or layout differences, etc.)

Verbose Failure Messages What if the sources are also the same? Potential vulnerabilities are still there - difference in responding time for valid and invalid credentials

Vulnerable Transmission of Credentials We all know HTTPS should be used. But from which stage should it be used? When the login information needs to be submitted? Or when the login page is loaded? You can’t trust the login page if it is loaded as HTTP since you can’t tell its authenticity

Password Change Functionality This function is needed for users to periodically change the password Still, it is vulnerable by design It might provide a verbose error message indicating whether the requested username is valid It might allow unrestricted guesses of the “existing password” field

Forgotten Password Functionality Similar to change password function, this function is needed However, it might be the weakest link at which to attack the overall authentication logic!

Forgotten Password Functionality Users are inclined to set extremely insecure challenges with the false assumption that only they will be presented with them Example: “Do I own a boat?” Now the attacker has 50% chance of guessing it correctly (only two possible answers: yes or no) Some applications disclose the existing, forgotten password to the user after successful completion of challengs

Forgotten Password Functionality Some applications immediately drop the user into an authenticated session after successful completion of challenges Some apps send a unique recovery URL to the address specified by the user at the time the challenge is completed Some apps allow users(attackers) to reset password directly after successful completion of challenge, without sending a notification to the real user

Incomplete Validation of Credentials Believe it or not, some applications truncate passwords and so only validate the first characters Some apps strip out unusual characters Some apps perform a case-insensitive check of passwords Each of the above reduces by an order of magnitude the number of available passwords in the pool of possible passwords!

Implementation Flaws Even if the design is perfectly secure, hackers still get some chances Defects in multistage login mechanisms

Defects in Multistage Login Mechanisms Multistage mechanisms often have logic flaws They often make unsafe assumptions It may assume that a user who accessed stage three must have cleared stages one and two It may trust some of the data being processed at stage two because it was validated at stage one

Defects in Multistage Login Mechanisms Some apps employ a randomly varying question at one of the stages of the login process This functionality can be broken in some cases The app may store the details of the challenge question within a hidden HTML form or cookie, rather than on the server. Attackers can capture user’s input and reuse it later The app may ask the user a fresh question when the user tries to login again after a failed attempt

Securing Authentication Use strong credentials Handle credentials secretively Validate credentials properly Prevent information leakage Prevent brute-force attack Prevent misuse of password change function Prevent misuse of account recovery function Log, monitor, and notify