SlideShare une entreprise Scribd logo

CNIT 129S - Ch 6a: Attacking Authentication

Sam Bowne
Sam Bowne

For a college course at CCSF taught by Sam Bowne. https://samsclass.info/129S/129S_S18.shtml Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470

Formation
1  sur  71
Télécharger pour lire hors ligne
CNIT 129S: Securing Web Applications Ch 6: Attacking Authentication Updated 2-21-28
Authentication Technologies • Over 90% of apps use name & password
More Secure Methods • Two-factor authentication (or more) • PIN from a token, SMS message, or mobile app • In addition to a password • Submitted through an HTML form
Cryptographic Methods • Client-side SSL certificate • Smartcards • More expensive, higher overhead
HTTP Authentication • Basic, Digest, and Windows-integrated • Rarely used on the Internet • More common in intranets, especially Windows domains • So authenticated employees can easily access secured resources
Third-Party Authentication
Third-Party Authentication Link Ch 6b
Third-Party Authentication
Design Flaws • Bad Passwords
Brute-Force Attacks • Strictly, "brute force" refers to trying every possible combination of characters • Very slow • In practice, attackers use lists of common passwords • Defense: account lockout rules after too many failed login attempts
Poor Attempt Counters • Cookie containing failedlogins=1 • Failed login counter held within the current session • Attacker can just withhold the session cookie to defeat this • Sometimes a page continues to provide information about a password's correctness even after account lockout
Insecure Lockout
Verbose Failure Messages • Friendly for legitimate users • But helpful for attackers
Script to Find Phone #s • echo $1,`curl -d "customerEmailAddress= $1" "https://www.att.com/olam/ submitSLIDEmailForgotIdSlid.myworld" - silent| grep -Po '(?<=provided ()d*'` • When you run 
 getatt.sh john.smith@example.com
 it will output a line of text that looks like: • john.smith@example.com,6782345678 • Link Ch 6d
Username Importance • Attacks that reveal valid usernames are called "username enumeration" • Not as bad as finding a password, but still a privacy intrusion • But could be used for social engineering attacks, such as spearphishing emails
Similar but Non-Identical Error Messages • Any difference can be exploited; even response time
Demo • Capture Hackazon login with invalid username and password • In Proxy, HTTP History, right-click POST and Send to Comparer (Response) • Repeat with valid username and invalid password • On Comparer tab, compare Words
No Useful Differences
A
Vulnerable Transmission of Credentials • Eavesdroppers may reside:
HTTPS Risks • If credentials are sent unencrypted, the eavesdropper's task is trivial, but even HTTPS can't prevent these risks: • Credentials sent in the query string are likely to appear in server logs, browser history, and logs of reverse proxies • Many sites take credentials from a POST and then redirect it (302) to another page with credentials in the query string
HTTPS Risks • Cookie risks: • Web apps may store credentials in cookies • Even if cookies cannot be decrypted, they can be re-used • Many pages open a login page via HTTP and use an HTTPS request in the form • This can be defeated by a man-in-the-middle attack, like sslstrip
Password Change Functionality • Periodic password change mitigates the threat of password compromise (a dubious claim) • Users need to change their passwords when they believe them to be compromised
Vulnerable Password Change Systems • Reveal whether the requested username is valid • Allow unrestricted guesses of the "existing password" field • Validate the "existing password" field before comparing the "new password" and "confirm new password" fields • So an attacker can test passwords without making any actual change
Password Change Decision Tree • Identify the user • Validate "existing password" • Integrate with any account lockout features • Compare the new passwords with each other and against password quality rules • Feed back any error conditions to the user • Often there are subtle logic flaws
Forgotten Password Functionality • Often the weakest link • Uses a secondary challenge, like "mother's maiden name" • A small set of possible answers, can be brute- forced • Often can be found from public information
Forgotten Password Functionality • Often users can write their own questions • Attackers can try a long list of usernames • Seeking a really weak question, like "Do I own a boat?" • Password "Hints" are often obvious
Forgotten Password Functionality • Often the mechanism used to reset the password after a correct challenge answer is vulnerable • Some apps disclose the forgotten password to the user, so an attacker can use the account without the owner knowing • Some applications immediately let the user in after the challenge--no password needed
Forgotten Password Functionality • Some apps allow the user to specify an email for the password reset link at the time the challenge is completed • Or use email from a hidden field or cookie • Some apps allow a password reset and don't notify the user with an email
"Remember Me" • Sometimes a simple persistent cookie, like • RememberUser=jsmith • Session=728 • No need to actually log in, if username or session ID can be guessed or found
"Remember Me" • Even if the userid or session token is properly encrypted, it can be stolen via XSS or by getting access to a user's phone or PC
User Impersonation • Sometimes help desk personnel or other special accounts can impersonate users • This may have flaws like • Implemented with a "hidden" function lacking proper access controls, such as • /admin/ImpersonateUser.jsp • A guessable session number • A fixed backdoor password
Incomplete Validation • Some applications truncate passwords without telling users • Also strip unusual characters • Link Ch 6e
Nonunique Usernames • Rare but it happens • You may be able to create a new account with the same username as an existing account • During registration or a password change • If the password also matches, you can detect that from a different error messge
Predictable Usernames • Automatically generated names like • User101, User102, ...
Predictable Initial Passwords • User accounts are create in large batches • All have the same initial password
Insecure Distribution of Credentials • Passwords sent by email, SMS, etc. • Users may never change those credentials • Activation URLs may be predictable • Some apps email the new password to the user after each password change
B
Implementation Flaws
Fail-Open Login • Blank or invalid username may cause an exception in the login routine • Or very long or short values • Or letters where numbers are expected... • And allow the user in
Multistage Login • Enter username and password • Enter specific digits from a PIN (a CAPTCHA) • Enter value displayed on a token
Multistage Login Defects • May allow user to skip steps • May trust data that passes step one, but let user change it, so invaid or locked-out accounts remain available • May assume that the same username applies to all three stages but not verify this
Multistage Login Defects • May use a randomly-chosen question to verify the user • But let the attacker alter that question in a hidden HTML field or cookie • Or allow many requests, so attacker can choose an easy question
Insecure Credential Storage • Plaintext passwords in database • Hashed with MD5 or SHA-1, easily cracked
Securing Authentication • Considerations • How critical is security? • Will users tolerate inconvenient controls? • Cost of supporting a user-unfriendly system • Cost of alternatives, compare to revenue generated or value of assets
Strong Credentials • Minimum password length, requiring alphabetical, numeric, and typographic characters • Avoiding dictionary words, password same as username, re-use of old passwords • Usernames should be unique • Automatically generated usernames or passwords should be long and random, so they cannot be guessed or predicted • Allow users to set strong passwords
Handle Credentials Secretively • Protect them when created, stored, and transmitted • Use well-established cryptography like SSL, not custom methods • Whole login page should be HTTPS, not just the login button • Use POST rather than GET • Don't put credentials in URL parameters or cookies
Handle Credentials Secretively • Don't transmit credentials back to the client, even in parameters to a redirect • Securely hash credentials on the server
Hashing • Password hashes must be salted and stretched • Salt: add random bytes to the password before hashing it • Stretched: many rounds of hashing (Kali Linux 2 uses 5000 rounds of SHA-512)
Handle Credentials Secretively • Client-side "remember me" functionality should remember only nonsecret items such as usernames • If you allow users to store passwords locally, they should be reversibly encrypted with a key known only to the server • And make sure there are no XSS vulnerabilities
Handle Credentials Secretively • Force users to change passwords periodically • Credentials for new users should be sent as securely as possible and time-limited; force password change on first login • Capture some login information with drop-down lists instead of text fields, to defeat keyloggers
Validate Credentials Properly • Validate entire credential, with case sensitivity • Terminate the session on any exception • Review authentication logic and code • Strictly control user impersonation
Multistage Login • All data about progress and the results of previous validation tasks should be held in the server-side session object and never available to the client • No item of information should be submitted more than once by the user • No means for the user to modify data after submission
Multistage Login • The first task at every stage should be to verify that all prior stages have been correctly completed • Always proceed through all stages, even if the first stage fails--don't give attacker any information about which stage failed
Prevent Information Leakage • All authentication failures should use the same code to produce the same error message • To avoid subtle differences that leak information • Account lockout can be used for username enumeration • Login attempts with invalid usernames should lead to the same error messages as valid ones
Self-Registration • Allowing users to choose usernames permits username enumeration. Better methods: • Generate unique, unpredictable usernames • Use e-mail addresses as usernames and require the user to receive and use an email message
Prevent Brute-Force Attacks • At login, password change, recover lost password, etc. • Using unpredictable usernames and preventing their enumeration makes brute-force attacks more difficult • High-security apps like banks disable an account after several failed logins • Account holder must do something out-of-band to re-activate account, like phone customer support and answer security questions • A 30-minute delay is friendlier and cheaper
Prevent Brute-Force Attacks • Consider this type of attack • Use many different usernames with the same password, such as "password" • Defenses: strong password rules, CAPTCHA
Password Change • No way to change username • Require user to enter the old password • Require new password twice (to prevent mistakes) • Same error message for all failures • Users should be notified out-of-band (such as via email) that the password has been changed
Account Recovery • For security-critical apps, require account recovery out-of-band • Don't use "password hints" • Email a unique, time-limited, unguessable, single-use recovery URL
Account Recovery • Challenge questions • Don't let users write their own questions • Don't use questions with low-entropy answers, such as "your favorite color"
Log, Monitor, and Notify • Log all authentication-related events • Protect logs from unauthorized access • Anomalies such as brute-force attacks should trigger IDS alerts • Notify users out-of-band of any critical security events, such as password changes • Notify users in-band of frequent security events, such as time and source IP of the last login
C

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsSam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsSam Bowne
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 

Recommandé

Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
CNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsCNIT 129S: 10: Attacking Back-End Components
CNIT 129S: 10: Attacking Back-End ComponentsSam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesCNIT 129S - Ch 3: Web Application Technologies
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsSam Bowne
 
CNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationCNIT 129: 6. Attacking Authentication
CNIT 129: 6. Attacking AuthenticationSam Bowne
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsCNIT 129S: Ch 5: Bypassing Client-Side Controls
CNIT 129S: Ch 5: Bypassing Client-Side ControlsSam Bowne
 
CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsSam Bowne
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the applicationMatthew Saltzman
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 

Contenu connexe

Tendances

CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationSam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationSam Bowne
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsSam Bowne
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementSam Bowne
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesSam Bowne
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Accesseightbit
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the applicationMatthew Saltzman
 

Tendances (20)

CNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the ApplicationCNIT 129S: Ch 4: Mapping the Application
CNIT 129S: Ch 4: Mapping the Application
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
 
Ch 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side ControlsCh 5: Bypassing Client-Side Controls
Ch 5: Bypassing Client-Side Controls
 
CNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session ManagementCNIT 129S Ch 7: Attacking Session Management
CNIT 129S Ch 7: Attacking Session Management
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)
 
CNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS VulnerabilitiesCNIT 123 Ch 8: OS Vulnerabilities
CNIT 123 Ch 8: OS Vulnerabilities
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain AccessDefcon 25 Packet Hacking Village - Finding Your Way to Domain Access
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Going outside the application
Going outside the applicationGoing outside the application
Going outside the application
 

Similaire à CNIT 129S - Ch 6a: Attacking Authentication

CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementSam Bowne
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga 0xdec0de
 
Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Sam Bowne
 
Flaws of password-based authentication
Flaws of password-based authenticationFlaws of password-based authentication
Flaws of password-based authenticationsluge
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaOlajide Kuku
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
 

Similaire à CNIT 129S - Ch 6a: Attacking Authentication (20)

CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access Management
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
Password management
Password managementPassword management
Password management
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern Web
 
«How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga «How to start in web application penetration testing» by Maxim Dzhalamaga
«How to start in web application penetration testing» by Maxim Dzhalamaga
 
Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)Ch 13: Attacking Users: Other Techniques (Part 2)
Ch 13: Attacking Users: Other Techniques (Part 2)
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Flaws of password-based authentication
Flaws of password-based authenticationFlaws of password-based authentication
Flaws of password-based authentication
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
Password Synchronization
Password SynchronizationPassword Synchronization
Password Synchronization
 
Defending web applications v.1.0
Defending web applications v.1.0Defending web applications v.1.0
Defending web applications v.1.0
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 

Plus de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 

Plus de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Dernier

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 

Dernier (20)

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 

CNIT 129S - Ch 6a: Attacking Authentication

  • 1. CNIT 129S: Securing Web Applications Ch 6: Attacking Authentication Updated 2-21-28
  • 2. Authentication Technologies • Over 90% of apps use name & password
  • 3. More Secure Methods • Two-factor authentication (or more) • PIN from a token, SMS message, or mobile app • In addition to a password • Submitted through an HTML form
  • 4. Cryptographic Methods • Client-side SSL certificate • Smartcards • More expensive, higher overhead
  • 5. HTTP Authentication • Basic, Digest, and Windows-integrated • Rarely used on the Internet • More common in intranets, especially Windows domains • So authenticated employees can easily access secured resources
  • 10.
  • 11. Brute-Force Attacks • Strictly, "brute force" refers to trying every possible combination of characters • Very slow • In practice, attackers use lists of common passwords • Defense: account lockout rules after too many failed login attempts
  • 12.
  • 13.
  • 14. Poor Attempt Counters • Cookie containing failedlogins=1 • Failed login counter held within the current session • Attacker can just withhold the session cookie to defeat this • Sometimes a page continues to provide information about a password's correctness even after account lockout
  • 16.
  • 17.
  • 18. Verbose Failure Messages • Friendly for legitimate users • But helpful for attackers
  • 19.
  • 20. Script to Find Phone #s • echo $1,`curl -d "customerEmailAddress= $1" "https://www.att.com/olam/ submitSLIDEmailForgotIdSlid.myworld" - silent| grep -Po '(?<=provided ()d*'` • When you run 
 getatt.sh john.smith@example.com
 it will output a line of text that looks like: • john.smith@example.com,6782345678 • Link Ch 6d
  • 21. Username Importance • Attacks that reveal valid usernames are called "username enumeration" • Not as bad as finding a password, but still a privacy intrusion • But could be used for social engineering attacks, such as spearphishing emails
  • 22. Similar but Non-Identical Error Messages • Any difference can be exploited; even response time
  • 23. Demo • Capture Hackazon login with invalid username and password • In Proxy, HTTP History, right-click POST and Send to Comparer (Response) • Repeat with valid username and invalid password • On Comparer tab, compare Words
  • 25. A
  • 26. Vulnerable Transmission of Credentials • Eavesdroppers may reside:
  • 27. HTTPS Risks • If credentials are sent unencrypted, the eavesdropper's task is trivial, but even HTTPS can't prevent these risks: • Credentials sent in the query string are likely to appear in server logs, browser history, and logs of reverse proxies • Many sites take credentials from a POST and then redirect it (302) to another page with credentials in the query string
  • 28. HTTPS Risks • Cookie risks: • Web apps may store credentials in cookies • Even if cookies cannot be decrypted, they can be re-used • Many pages open a login page via HTTP and use an HTTPS request in the form • This can be defeated by a man-in-the-middle attack, like sslstrip
  • 29.
  • 30. Password Change Functionality • Periodic password change mitigates the threat of password compromise (a dubious claim) • Users need to change their passwords when they believe them to be compromised
  • 31. Vulnerable Password Change Systems • Reveal whether the requested username is valid • Allow unrestricted guesses of the "existing password" field • Validate the "existing password" field before comparing the "new password" and "confirm new password" fields • So an attacker can test passwords without making any actual change
  • 32. Password Change Decision Tree • Identify the user • Validate "existing password" • Integrate with any account lockout features • Compare the new passwords with each other and against password quality rules • Feed back any error conditions to the user • Often there are subtle logic flaws
  • 33. Forgotten Password Functionality • Often the weakest link • Uses a secondary challenge, like "mother's maiden name" • A small set of possible answers, can be brute- forced • Often can be found from public information
  • 34. Forgotten Password Functionality • Often users can write their own questions • Attackers can try a long list of usernames • Seeking a really weak question, like "Do I own a boat?" • Password "Hints" are often obvious
  • 35. Forgotten Password Functionality • Often the mechanism used to reset the password after a correct challenge answer is vulnerable • Some apps disclose the forgotten password to the user, so an attacker can use the account without the owner knowing • Some applications immediately let the user in after the challenge--no password needed
  • 36. Forgotten Password Functionality • Some apps allow the user to specify an email for the password reset link at the time the challenge is completed • Or use email from a hidden field or cookie • Some apps allow a password reset and don't notify the user with an email
  • 37. "Remember Me" • Sometimes a simple persistent cookie, like • RememberUser=jsmith • Session=728 • No need to actually log in, if username or session ID can be guessed or found
  • 38. "Remember Me" • Even if the userid or session token is properly encrypted, it can be stolen via XSS or by getting access to a user's phone or PC
  • 39. User Impersonation • Sometimes help desk personnel or other special accounts can impersonate users • This may have flaws like • Implemented with a "hidden" function lacking proper access controls, such as • /admin/ImpersonateUser.jsp • A guessable session number • A fixed backdoor password
  • 40. Incomplete Validation • Some applications truncate passwords without telling users • Also strip unusual characters • Link Ch 6e
  • 41. Nonunique Usernames • Rare but it happens • You may be able to create a new account with the same username as an existing account • During registration or a password change • If the password also matches, you can detect that from a different error messge
  • 42. Predictable Usernames • Automatically generated names like • User101, User102, ...
  • 43. Predictable Initial Passwords • User accounts are create in large batches • All have the same initial password
  • 44. Insecure Distribution of Credentials • Passwords sent by email, SMS, etc. • Users may never change those credentials • Activation URLs may be predictable • Some apps email the new password to the user after each password change
  • 45. B
  • 47. Fail-Open Login • Blank or invalid username may cause an exception in the login routine • Or very long or short values • Or letters where numbers are expected... • And allow the user in
  • 48. Multistage Login • Enter username and password • Enter specific digits from a PIN (a CAPTCHA) • Enter value displayed on a token
  • 49. Multistage Login Defects • May allow user to skip steps • May trust data that passes step one, but let user change it, so invaid or locked-out accounts remain available • May assume that the same username applies to all three stages but not verify this
  • 50. Multistage Login Defects • May use a randomly-chosen question to verify the user • But let the attacker alter that question in a hidden HTML field or cookie • Or allow many requests, so attacker can choose an easy question
  • 51. Insecure Credential Storage • Plaintext passwords in database • Hashed with MD5 or SHA-1, easily cracked
  • 52. Securing Authentication • Considerations • How critical is security? • Will users tolerate inconvenient controls? • Cost of supporting a user-unfriendly system • Cost of alternatives, compare to revenue generated or value of assets
  • 53. Strong Credentials • Minimum password length, requiring alphabetical, numeric, and typographic characters • Avoiding dictionary words, password same as username, re-use of old passwords • Usernames should be unique • Automatically generated usernames or passwords should be long and random, so they cannot be guessed or predicted • Allow users to set strong passwords
  • 54. Handle Credentials Secretively • Protect them when created, stored, and transmitted • Use well-established cryptography like SSL, not custom methods • Whole login page should be HTTPS, not just the login button • Use POST rather than GET • Don't put credentials in URL parameters or cookies
  • 55. Handle Credentials Secretively • Don't transmit credentials back to the client, even in parameters to a redirect • Securely hash credentials on the server
  • 56. Hashing • Password hashes must be salted and stretched • Salt: add random bytes to the password before hashing it • Stretched: many rounds of hashing (Kali Linux 2 uses 5000 rounds of SHA-512)
  • 57.
  • 58. Handle Credentials Secretively • Client-side "remember me" functionality should remember only nonsecret items such as usernames • If you allow users to store passwords locally, they should be reversibly encrypted with a key known only to the server • And make sure there are no XSS vulnerabilities
  • 59. Handle Credentials Secretively • Force users to change passwords periodically • Credentials for new users should be sent as securely as possible and time-limited; force password change on first login • Capture some login information with drop-down lists instead of text fields, to defeat keyloggers
  • 60. Validate Credentials Properly • Validate entire credential, with case sensitivity • Terminate the session on any exception • Review authentication logic and code • Strictly control user impersonation
  • 61. Multistage Login • All data about progress and the results of previous validation tasks should be held in the server-side session object and never available to the client • No item of information should be submitted more than once by the user • No means for the user to modify data after submission
  • 62. Multistage Login • The first task at every stage should be to verify that all prior stages have been correctly completed • Always proceed through all stages, even if the first stage fails--don't give attacker any information about which stage failed
  • 63. Prevent Information Leakage • All authentication failures should use the same code to produce the same error message • To avoid subtle differences that leak information • Account lockout can be used for username enumeration • Login attempts with invalid usernames should lead to the same error messages as valid ones
  • 64. Self-Registration • Allowing users to choose usernames permits username enumeration. Better methods: • Generate unique, unpredictable usernames • Use e-mail addresses as usernames and require the user to receive and use an email message
  • 65. Prevent Brute-Force Attacks • At login, password change, recover lost password, etc. • Using unpredictable usernames and preventing their enumeration makes brute-force attacks more difficult • High-security apps like banks disable an account after several failed logins • Account holder must do something out-of-band to re-activate account, like phone customer support and answer security questions • A 30-minute delay is friendlier and cheaper
  • 66. Prevent Brute-Force Attacks • Consider this type of attack • Use many different usernames with the same password, such as "password" • Defenses: strong password rules, CAPTCHA
  • 67. Password Change • No way to change username • Require user to enter the old password • Require new password twice (to prevent mistakes) • Same error message for all failures • Users should be notified out-of-band (such as via email) that the password has been changed
  • 68. Account Recovery • For security-critical apps, require account recovery out-of-band • Don't use "password hints" • Email a unique, time-limited, unguessable, single-use recovery URL
  • 69. Account Recovery • Challenge questions • Don't let users write their own questions • Don't use questions with low-entropy answers, such as "your favorite color"
  • 70. Log, Monitor, and Notify • Log all authentication-related events • Protect logs from unauthorized access • Anomalies such as brute-force attacks should trigger IDS alerts • Notify users out-of-band of any critical security events, such as password changes • Notify users in-band of frequent security events, such as time and source IP of the last login
  • 71. C