SlideShare une entreprise Scribd logo

Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and Caching

A
amiable_indian
Technologie
1  sur  44
Insecure Implementation of Security Practices Karmendra Kohli Director, Co-founder
Agenda • Talk about insecure implementation of security practices for – Salted Hashing – CAPTCHA – Browser Caching
Why do we need authentication • Abstraction of Lock and Key – Humans are used to and comfortable with the concept • Explicit Authentication happens only once – Implicit authentication with each request
Threats to passwords • In the Host – Can be found in Memory or Browser History • Network – Can be sniffed or found in proxy logs • Database – If stored in clear-text, compromise of DB leads to complete compromise – Backup tapes etc
Securing Credentials • Denote password by ******** in the form field – Can be guessed • Implement strong password policy – Can be stolen • Base64 Encoding – Can be decoded • Encrypting the password – Can be decrypted • Hashing the password – Our story begins from here…
Hashing • Cryptographic Hash Function is a transformation that takes an input and returns a fixed-size string, which is called the hash value. – From Wikipedia • One way hashes cannot be reversed, they can only be compared – Just like finger prints • A strong one-way hash will have minute probability of collision
Use of hashing • Authentication • Message Integrity • Digital Signatures
Is just a hash secure? • Hash can be stolen from the – memory – browser history – network by sniffing – proxy logs • We can replay the hash instead of the clear text password – Does not need to be reversed for authentication
Hash with a pinch of salt • Salted hash – Aims at implementing a one time password scheme – Each time the password of the user transmitted from the client is different – Even if stolen cannot be reused/replayed Well That Is The Aim!!
The Working Steps 1. With each request to the login page by the user, the server generates a random number, the salt, and sends it to the client along with the login page. 2. A JavaScript code on the client computes the hash of the password entered by the user. 3. The salt is concatenated with the computed hash of the password to re-compute the hash of the concatenated string (let this salted hash be ‘A’). 4. The result i.e. ‘A’ generated in the previous step is sent to the server along with the username.
The Working Steps 5. On the server side - the application retrieves the hashed password for the corresponding username from the database. 6. The hashed password fetched from the database is concatenated with the salt (which was earlier sent to the client) stored at the server. Hash of the concatenated string is calculated at the server (let this salted hash be B). 7. If the user entered the correct password then these two hashes (A & B) should match. The server compares these two hashes and if they match, the user is authenticated. 8. The salt is then deleted from the server side
Insecure Implementations
1. Generating salt on client side
Generating salt on client side
Generating salt on client side • So we have all values that server needs to calculate the salted hash • It is enough to replay the values • Beats goal of using salts
2. Using a limited set of salts • The number of salts being used by the server is fixed • Above replay technique works – We just need to try multiple number of times
3. Using same salt for same user • In this case the salted hash was stored by the developer in the DB – Gives a ‘feeling’ of more security • If salted hash is stored as password, then salt too needs to be stored ☺ • Hence same salt is sent each time - replay
4. Not re-initializing the salt for login pages • Multiple logins from the same browser resulted in same salt being used • Salt not deleted from the server side on successful or unsuccessful authentication • Problem is also related to not re-initializing the session after successful or unsuccessful authentication • Attack window is small, but still…
5. Transmitting clear text password along with salted hash • Many implementations observed • The salted hash is sent along with clear text form input fields • The salted hash is computed using different set of hidden variables
Transmitting clear text along with salted hash
6. Not re-initializing the java script variables • Uname = Document.form1.textbox1.value • Pwd = Document.form1.textbox2.value • Use the and ‘pwd’ variable for salted hash calculation – Hash = Hfx (pwd) – Hash = Hfx (Hash + salt) • The uname and pwd can be found as clear text in memory
Not re-initializing the java script variables
7. Storing password in clear text in database • Hash = hash (password + salt) • Server does not store salt in the database • Clearly implies that server also does not store hash of password in database
Salted Hash Best Practices • Salt – Generated on server side – Must be highly random. Must use cryptographically strong PRNG algorithm – Must never be stored in the database – Must be re-generated after each successful /unsuccessful attempt – All temporary Form Field or JS variables must be set to null before submitting the request • Passwords must be stored in hashed format in the database
CAPTCHA • Completely Automated Public Turing Tests to Tell Computers and Humans Apart • Aim is to introduce an entity that requires human intervention • Protection against DOS or Brute force or Misuse – Avoiding automating submissions
Typical uses • Public Forms – Registration – Feedback / Rating – Survey – Blog post – Appointment/Slot booking
CAPTCHA - Implementation • Initiate a session for the page rendered • Request for image • Generate unique string randomly on server side • Generate image with string embedded • Remember the string in Session Object and send CAPTCHA to client • For each client request, validate the sent value with the one in the session object • Invalidate session after each attempt – Both successful and unsuccessful • Generate new CAPTCHA for each new page request
Insecure Implementation • We are not focusing weakness of CAPTCHA generation – It’s a different ball game • We will discuss common implementation flaws of using CAPTCHA’s
1. Verifying CAPTCHA on client side • The client side JavaScript verifies the CAPTCHA value • Server trusts the decision of client strPassFlag=True; • Completely bypass enforcement • Automate submission
2. Having a limited set words • Small fixed pool of CAPTCHA words • Automated tools will have high probability of hits • Bypass goal of implementing CAPTCHA
What better than a COMBO Limited pool of CAPTCHA values with client side verification
3. Validate CAPTCHA on server but value sent from client • Actual value of CAPTCHA sent as hidden variable – Hmmmmm, “hidden” does not mean “secure” • Replay request with value of our choice
4. Session is not re-initialized • Session not re-initialized after form submission • Refresh on submitted page works • Automate replay of requests using assigned session ID • Multiple registrations – Treasure trove for spammers
5. Image ID can be replayed • The request for image is of the form • <img src = http://www.testserver.com/image_draw.jsp?I D=23erdfret45ffrsd4g3fd3sa3a4d5a • The image_draw.jsp decrypts the value to get the word • For the same value the same word is rendered ALWAYS • Replay image request
Image ID can be replayed Server Client Step#1: Request for Public FORM Step#2: Form with <img src=http://…/image_draw.php?id=X1> Step#4: Generate an image Step#3: Request for Image based on unique token (X1) & store in the session object. Step#5: Form rendered with image Step#7: Validation with string Step#6: FORM Submission stored in the session object. • Step 2 can be replayed
6. CAPTCHA is not an image • One application had a ‘feeling’ of an image • Java Script used for rendering the text on the page in a “different” font • Tools can read such text easily Text can be selected ☺
CAPTCHA implementation best practices CAPTCHA: – Generated on server side – Verified on server side – Strings must be randomly generated – Images must not be generated based on token from ‘hidden’ client side – Must be bound to a session – Must be re-generated after each successful /unsuccessful attempt
Caching Issues • Unauthorized access to information User CC No User Name SB Account No Logged off Back Password Submit Submit Sign In Sign Out Thank You Account Details Login
Browser Cache • A local store – Aims to improve performance – Renders pages locally, fast user experience – Support across browsers • Controlled by a lot many directives – Pragma: no-cache – Cache-control: no-cache – Expires: Mon, 03 Jul 2000 9:30:41 GMT
Caching • Relevant HTTP fields • Request o If-Modified-Since o Pragma: no-cache Response • o Last-Modified o Expires: Mon, 03 Apr 2009 9:30:41 GMT o Cache-Control: no-cache, no-store
Caching • Relevant HTTP fields • Request o If-Modified-Since – Recheck for fresh content o Pragma: no-cache – HTTP 1.0 Response • o Last-Modified – Confirm fresh content o Expires: ………… – HTTP 1.0 o Cache-Control: no-cache – Pages will not be displayed, but will still be stored o Cache-Control: no-store – Pages will not be stored
Caching best practice • For critical applications • Cache-Control: no-cache and Cache- Control: no-store must be set for ALL pages
Example Implementation flaw • Banking application – Ideally all pages must be fetched fresh – Clicking on ‘back’ must not render page – All pages set with Cache-Control: no-cache, no-store – excepting logout page – On logout, an intermediate proxy used to serve logout page – Session was not invalidated as request did not reach server
karmendra.kohli@secureyes.net

Recommandé

Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
User server interaction
User server interactionUser server interaction
User server interactionbhavanatmithun
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 

Recommandé

Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Reportbtpsec
 
User server interaction
User server interactionUser server interaction
User server interactionbhavanatmithun
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityRonan Dunne, CEH, SSCP
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Http methods
Http methodsHttp methods
Http methodsmaamir farooq
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Metasploitable
MetasploitableMetasploitable
MetasploitableSri Manakula Vinayagar Engineering College
 
Android local sockets in native code
Android local sockets in native code Android local sockets in native code
Android local sockets in native code ramalinga prasad tadepalli
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding PracticesThomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Ehcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage PatternsEhcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage PatternsEduardo Pelegri-Llopart
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniquesprashant3535
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Data Access - Best Practice
Data Access - Best PracticeData Access - Best Practice
Data Access - Best PracticeLars-Erik Kindblad
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Tellingamiable_indian
 

Contenu connexe

Tendances

Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneArash Ramez
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices SecurityAditi Anand
 
Ehcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage PatternsEhcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage PatternsEduardo Pelegri-Llopart
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniquesprashant3535
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 

Tendances (20)

Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Http methods
Http methodsHttp methods
Http methods
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
How to do Cryptography right in Android Part One
How to do Cryptography right in Android Part OneHow to do Cryptography right in Android Part One
How to do Cryptography right in Android Part One
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
 
Android local sockets in native code
Android local sockets in native code Android local sockets in native code
Android local sockets in native code
 
5 Important Secure Coding Practices
5 Important Secure Coding Practices5 Important Secure Coding Practices
5 Important Secure Coding Practices
 
Microservices Security
Microservices SecurityMicroservices Security
Microservices Security
 
Ehcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage PatternsEhcache Architecture, Features And Usage Patterns
Ehcache Architecture, Features And Usage Patterns
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
 
Nikto
NiktoNikto
Nikto
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Data Access - Best Practice
Data Access - Best PracticeData Access - Best Practice
Data Access - Best Practice
 

En vedette

Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Tellingamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010Eric Shaver, PhD
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 

En vedette (8)

Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-TellingNo Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
A Human Factors Perspective on Alarm System Research & Development 2000 to 2010
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 

Similaire à Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and Caching

Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008ClubHack
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebCliff Smith
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session ManagementSam Bowne
 
Authentication in Node.js
Authentication in Node.jsAuthentication in Node.js
Authentication in Node.jsJason Pearson
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Amazon Web Services
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Comet from JavaOne 2008
Comet from JavaOne 2008Comet from JavaOne 2008
Comet from JavaOne 2008Joe Walker
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Presentation 3 1 1 1
Presentation 3 1 1 1Presentation 3 1 1 1
Presentation 3 1 1 1Ashwin Kumar
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)Nate Lawson
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java ApplicationsStormpath
 
Ntu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncNtu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncAeshan Wijetunge
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Lior Rotkovitch
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developerslisab517
 

Similaire à Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and Caching (20)

Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
Karmendra - Hashing, CAPTCHA's and Caching - ClubHack2008
 
Redesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern WebRedesigning Password Authentication for the Modern Web
Redesigning Password Authentication for the Modern Web
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
Authentication in Node.js
Authentication in Node.jsAuthentication in Node.js
Authentication in Node.js
 
Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS Serverless Authentication and Authorisation for Your APIs on AWS
Serverless Authentication and Authorisation for Your APIs on AWS
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an API
 
Comet from JavaOne 2008
Comet from JavaOne 2008Comet from JavaOne 2008
Comet from JavaOne 2008
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Presentation 3 1 1 1
Presentation 3 1 1 1Presentation 3 1 1 1
Presentation 3 1 1 1
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)When Crypto Attacks! (Yahoo 2009)
When Crypto Attacks! (Yahoo 2009)
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Ntu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & AsyncNtu workshop : REST, PayPal APIs & Async
Ntu workshop : REST, PayPal APIs & Async
 
Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1 Advance WAF bot mitigations V13.1
Advance WAF bot mitigations V13.1
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
iPhone Development For Experienced Web Developers
iPhone Development For Experienced Web DevelopersiPhone Development For Experienced Web Developers
iPhone Development For Experienced Web Developers
 

Plus de amiable_indian

State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 
Advanced Ajax Security
Advanced Ajax SecurityAdvanced Ajax Security
Advanced Ajax Securityamiable_indian
 
Network Performance Forecasting System
Network Performance Forecasting SystemNetwork Performance Forecasting System
Network Performance Forecasting Systemamiable_indian
 
Leading Indicators in Information Security
Leading Indicators in Information SecurityLeading Indicators in Information Security
Leading Indicators in Information Securityamiable_indian
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNSamiable_indian
 

Plus de amiable_indian (20)

State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 
Advanced Ajax Security
Advanced Ajax SecurityAdvanced Ajax Security
Advanced Ajax Security
 
Network Performance Forecasting System
Network Performance Forecasting SystemNetwork Performance Forecasting System
Network Performance Forecasting System
 
Leading Indicators in Information Security
Leading Indicators in Information SecurityLeading Indicators in Information Security
Leading Indicators in Information Security
 
Ferret - Data Seepage
Ferret - Data SeepageFerret - Data Seepage
Ferret - Data Seepage
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 

Dernier

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Dernier (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and Caching

  • 1. Insecure Implementation of Security Practices Karmendra Kohli Director, Co-founder
  • 2. Agenda • Talk about insecure implementation of security practices for – Salted Hashing – CAPTCHA – Browser Caching
  • 3. Why do we need authentication • Abstraction of Lock and Key – Humans are used to and comfortable with the concept • Explicit Authentication happens only once – Implicit authentication with each request
  • 4. Threats to passwords • In the Host – Can be found in Memory or Browser History • Network – Can be sniffed or found in proxy logs • Database – If stored in clear-text, compromise of DB leads to complete compromise – Backup tapes etc
  • 5. Securing Credentials • Denote password by ******** in the form field – Can be guessed • Implement strong password policy – Can be stolen • Base64 Encoding – Can be decoded • Encrypting the password – Can be decrypted • Hashing the password – Our story begins from here…
  • 6. Hashing • Cryptographic Hash Function is a transformation that takes an input and returns a fixed-size string, which is called the hash value. – From Wikipedia • One way hashes cannot be reversed, they can only be compared – Just like finger prints • A strong one-way hash will have minute probability of collision
  • 7. Use of hashing • Authentication • Message Integrity • Digital Signatures
  • 8. Is just a hash secure? • Hash can be stolen from the – memory – browser history – network by sniffing – proxy logs • We can replay the hash instead of the clear text password – Does not need to be reversed for authentication
  • 9. Hash with a pinch of salt • Salted hash – Aims at implementing a one time password scheme – Each time the password of the user transmitted from the client is different – Even if stolen cannot be reused/replayed Well That Is The Aim!!
  • 10. The Working Steps 1. With each request to the login page by the user, the server generates a random number, the salt, and sends it to the client along with the login page. 2. A JavaScript code on the client computes the hash of the password entered by the user. 3. The salt is concatenated with the computed hash of the password to re-compute the hash of the concatenated string (let this salted hash be ‘A’). 4. The result i.e. ‘A’ generated in the previous step is sent to the server along with the username.
  • 11. The Working Steps 5. On the server side - the application retrieves the hashed password for the corresponding username from the database. 6. The hashed password fetched from the database is concatenated with the salt (which was earlier sent to the client) stored at the server. Hash of the concatenated string is calculated at the server (let this salted hash be B). 7. If the user entered the correct password then these two hashes (A & B) should match. The server compares these two hashes and if they match, the user is authenticated. 8. The salt is then deleted from the server side
  • 13. 1. Generating salt on client side
  • 14. Generating salt on client side
  • 15. Generating salt on client side • So we have all values that server needs to calculate the salted hash • It is enough to replay the values • Beats goal of using salts
  • 16. 2. Using a limited set of salts • The number of salts being used by the server is fixed • Above replay technique works – We just need to try multiple number of times
  • 17. 3. Using same salt for same user • In this case the salted hash was stored by the developer in the DB – Gives a ‘feeling’ of more security • If salted hash is stored as password, then salt too needs to be stored ☺ • Hence same salt is sent each time - replay
  • 18. 4. Not re-initializing the salt for login pages • Multiple logins from the same browser resulted in same salt being used • Salt not deleted from the server side on successful or unsuccessful authentication • Problem is also related to not re-initializing the session after successful or unsuccessful authentication • Attack window is small, but still…
  • 19. 5. Transmitting clear text password along with salted hash • Many implementations observed • The salted hash is sent along with clear text form input fields • The salted hash is computed using different set of hidden variables
  • 20. Transmitting clear text along with salted hash
  • 21. 6. Not re-initializing the java script variables • Uname = Document.form1.textbox1.value • Pwd = Document.form1.textbox2.value • Use the and ‘pwd’ variable for salted hash calculation – Hash = Hfx (pwd) – Hash = Hfx (Hash + salt) • The uname and pwd can be found as clear text in memory
  • 22. Not re-initializing the java script variables
  • 23. 7. Storing password in clear text in database • Hash = hash (password + salt) • Server does not store salt in the database • Clearly implies that server also does not store hash of password in database
  • 24. Salted Hash Best Practices • Salt – Generated on server side – Must be highly random. Must use cryptographically strong PRNG algorithm – Must never be stored in the database – Must be re-generated after each successful /unsuccessful attempt – All temporary Form Field or JS variables must be set to null before submitting the request • Passwords must be stored in hashed format in the database
  • 25. CAPTCHA • Completely Automated Public Turing Tests to Tell Computers and Humans Apart • Aim is to introduce an entity that requires human intervention • Protection against DOS or Brute force or Misuse – Avoiding automating submissions
  • 26. Typical uses • Public Forms – Registration – Feedback / Rating – Survey – Blog post – Appointment/Slot booking
  • 27. CAPTCHA - Implementation • Initiate a session for the page rendered • Request for image • Generate unique string randomly on server side • Generate image with string embedded • Remember the string in Session Object and send CAPTCHA to client • For each client request, validate the sent value with the one in the session object • Invalidate session after each attempt – Both successful and unsuccessful • Generate new CAPTCHA for each new page request
  • 28. Insecure Implementation • We are not focusing weakness of CAPTCHA generation – It’s a different ball game • We will discuss common implementation flaws of using CAPTCHA’s
  • 29. 1. Verifying CAPTCHA on client side • The client side JavaScript verifies the CAPTCHA value • Server trusts the decision of client strPassFlag=True; • Completely bypass enforcement • Automate submission
  • 30. 2. Having a limited set words • Small fixed pool of CAPTCHA words • Automated tools will have high probability of hits • Bypass goal of implementing CAPTCHA
  • 31. What better than a COMBO Limited pool of CAPTCHA values with client side verification
  • 32. 3. Validate CAPTCHA on server but value sent from client • Actual value of CAPTCHA sent as hidden variable – Hmmmmm, “hidden” does not mean “secure” • Replay request with value of our choice
  • 33. 4. Session is not re-initialized • Session not re-initialized after form submission • Refresh on submitted page works • Automate replay of requests using assigned session ID • Multiple registrations – Treasure trove for spammers
  • 34. 5. Image ID can be replayed • The request for image is of the form • <img src = http://www.testserver.com/image_draw.jsp?I D=23erdfret45ffrsd4g3fd3sa3a4d5a • The image_draw.jsp decrypts the value to get the word • For the same value the same word is rendered ALWAYS • Replay image request
  • 35. Image ID can be replayed Server Client Step#1: Request for Public FORM Step#2: Form with <img src=http://…/image_draw.php?id=X1> Step#4: Generate an image Step#3: Request for Image based on unique token (X1) & store in the session object. Step#5: Form rendered with image Step#7: Validation with string Step#6: FORM Submission stored in the session object. • Step 2 can be replayed
  • 36. 6. CAPTCHA is not an image • One application had a ‘feeling’ of an image • Java Script used for rendering the text on the page in a “different” font • Tools can read such text easily Text can be selected ☺
  • 37. CAPTCHA implementation best practices CAPTCHA: – Generated on server side – Verified on server side – Strings must be randomly generated – Images must not be generated based on token from ‘hidden’ client side – Must be bound to a session – Must be re-generated after each successful /unsuccessful attempt
  • 38. Caching Issues • Unauthorized access to information User CC No User Name SB Account No Logged off Back Password Submit Submit Sign In Sign Out Thank You Account Details Login
  • 39. Browser Cache • A local store – Aims to improve performance – Renders pages locally, fast user experience – Support across browsers • Controlled by a lot many directives – Pragma: no-cache – Cache-control: no-cache – Expires: Mon, 03 Jul 2000 9:30:41 GMT
  • 40. Caching • Relevant HTTP fields • Request o If-Modified-Since o Pragma: no-cache Response • o Last-Modified o Expires: Mon, 03 Apr 2009 9:30:41 GMT o Cache-Control: no-cache, no-store
  • 41. Caching • Relevant HTTP fields • Request o If-Modified-Since – Recheck for fresh content o Pragma: no-cache – HTTP 1.0 Response • o Last-Modified – Confirm fresh content o Expires: ………… – HTTP 1.0 o Cache-Control: no-cache – Pages will not be displayed, but will still be stored o Cache-Control: no-store – Pages will not be stored
  • 42. Caching best practice • For critical applications • Cache-Control: no-cache and Cache- Control: no-store must be set for ALL pages
  • 43. Example Implementation flaw • Banking application – Ideally all pages must be fetched fresh – Clicking on ‘back’ must not render page – All pages set with Cache-Control: no-cache, no-store – excepting logout page – On logout, an intermediate proxy used to serve logout page – Session was not invalidated as request did not reach server