Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Web Application Security

Published byΙπποκράτης Παπαστεφάνου Modified over 5 years ago

Similar presentations

Presentation on theme: "An Introduction to Web Application Security"— Presentation transcript:

1 An Introduction to Web Application Security
Class 3: Authentication & Session Management December 17th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks

2 This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

3 Authentication / Authorization
Authentication: confirming identity via password, shared secret, or asymmetric encryption key-pair, generally for the purposes of authorization access to protected resources. Authorization: once identify is established, determining whether the requestor has sufficient credentials to access a resource.

4 Session Management Transient state that is associated with a particular user or system, generally via cookies, but optionally with some other kind of token.

5 Common Authentication Vulnerabilities
Clear text credentials transmission Passing credentials via GET Storage of passwords in clear text Storage of passwords in un-salted hash Hard-coded / default credentials Weak password rules Password reminders Use of weak hashing algorithms (SHA-1, MD-5)

6 Sidebar: Password Rules
Hardware / Software Guesses / Second 4 Core Macbook Pro, Sloppy Java Implementation 1,000,000 5 Machine, 25 GPU Cluster 180,000,000,000 NSA Cluster ?????? Password Requirements Unique Pwds Mac hack Cluster Hack 5 character numeric 100,000 .1 seconds seconds 5 character alphanumeric case sensitive 9.16 X 10^8 916 seconds .005 seconds 10 character alphanumeric case sensitive 8.39 X 10^17 26,000 years 54 days 10 character alphanumeric + symbols 6.65 X 10^19 2,108,170 years 11 years

7 Sidebar: Password Rules
What happens if you make your password rules as follows? 20 characters At least 1 symbol, letter, and number Rotate every month

8 What’s the threat? Confidentiality ✓ Integrity ✓ Availability

9 Sidebar: What the heck is a salt
SHA-256 hashes of passwords “Capt. P1card” -> Ed315bd08b0d5dc3a52f6b3bb9dad6a6f0a14b8a aeef031c2a93e1f33 “Capt. P1card1234” -> 6578a06d64e0c58bcb219c8a f87a6d9c8fbc290e3efc17ad5dd1fce “Capt. P1card4567” -> f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6

10 Sidebar: What the heck is a salt
Username Hashed Password Salt User1 6578a06d64e0c58bcb219c8a f87a6d9c8fbc290e3efc17ad5dd1fce 1234 User2 f422ef6457c4d0be3e4ce2ef5a84ff7c2dc948119f61355cc19e260194d76de6 4567

11 https://github.com/danielsomerfield/app-sec-demo
Authentication Demo Demo pages: Source code:

12 Authentication Demo: Hashing
asdf' UNION ALL SELECT id, username, password_hash, 1, 1, 1 FROM application_user --

13 Authentication Demo: Hashing

14 Defending Against Authentication Vulnerabilities
Use HTTPS people! Use POST and a default HTTP method in forms Salt and hash your passwords for storage with a strong and (yes you heard me) slow hashing algorithm Don’t hard-code passwords in your code If you MUST use password reminders, look for a secure second factor

15 Authentication Demo: Default Method

16 Default Form Methods <form id=“login-form” action=“login” method=“post”> <input type=“text” name=“username”… //More stuff here </form> $(“#login-form”).on(“submit”, function(){ //Post to login form…

17 Common Session Management Vulnerabilities
Exposed session IDs Insufficiently random session IDs Unprotected session IDs Session fixation

18 Defending against Session Management Vulnerabilities
Disable URL rewriting Use a sufficiently long random string for your session cookie value Invalidate server session on log out Short session timeouts Invalidate session after state change such as login or registration

19 Sidebar: User lockout policies
Why user lockout doesn’t work and what to do about it

20 References OWASP Top 10 - A2 – Broken Auth & Session Management OWASP Authentication Cheat Sheet OWASP Session Management Cheat Sheethttps:// OWASP Password Storage Cheat Sheethttps:// 25-GPU cluster cracks every standard Windows password in <6 hourshttp://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

21 Tomorrow December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

Download ppt "An Introduction to Web Application Security"

Similar presentations

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Databases and security continued CMSC 461 Michael Wilson.

Databases and security continued CMSC 461 Michael Wilson.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Similar presentations

Ads by Google