Web Security, Summer Term 2012

Similar documents
Web Security, Summer Term 2012

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Combating Common Web App Authentication Threats

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Authentication Security

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Copyright

Bank Infrastructure - Video - 1

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSC 474 Network Security. Authentication. Identification

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Security. Philippe Bogaerts

Security and Privacy

5. Authentication Contents

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

COMP9321 Web Application Engineering

Web Security, Summer Term 2012

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Computer Security 3/20/18

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Controlling Website Account Information. A recent survey done by Privacy Rights Clearinghouse shows that in the past five years

En#ty Authen#ca#on and Session Management

Who are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Intruders, Human Identification and Authentication, Web Authentication

CS530 Authentication

Curso: Ethical Hacking and Countermeasures

Configuring the CSS for Device Management

Frequently Asked Questions (FAQ)

P2_L12 Web Security Page 1

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

Welcome to the OWASP TOP 10

Secure Session Management

e-commerce Study Guide Test 2. Security Chapter 10

Solutions Business Manager Web Application Security Assessment

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CSE 565 Computer Security Fall 2018

COMP9321 Web Application Engineering

Security Awareness. Chapter 2 Personal Security

Chapter 2. Switch Concepts and Configuration. Part II

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

COMP9321 Web Application Engineering

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

1 About Web Security. What is application security? So what can happen? see [?]

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications

Modern two-factor authentication: Easy. Affordable. Secure.


Authentication Methods

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Pass, No Record: An Android Password Manager

Defeating All Man-in-the-Middle Attacks

WEB SECURITY: XSS & CSRF

Access Controls. CISSP Guide to Security Essentials Chapter 2

CS 142 Winter Session Management. Dan Boneh

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created


Vidder PrecisionAccess

Introduction...1. Authentication Methods...1. Classes of Attacks on Authentication Mechanisms...4. Security Analysis of Authentication Mechanisms...

Lecture 3 - Passwords and Authentication

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Endpoint Security - what-if analysis 1

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Security, Summer Term 2012

Web Security, Summer Term 2012

SE420 Software Quality Assurance

Web Application Whitepaper

User Authentication. Modified By: Dr. Ramzi Saifan

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

COMPUTER NETWORK SECURITY

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

RKN 2015 Application Layer Short Summary

Robust Defenses for Cross-Site Request Forgery

Network Security and Cryptography. 2 September Marking Scheme

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Troubleshooting. EAP-FAST Error Messages CHAPTER

Online Banking Security

Lecture 3 - Passwords and Authentication

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Security II. Slides from M. Hicks, University of Maryland

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CSCE 813 Internet Security Case Study II: XSS

Transcription:

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1

Table of Contents Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking Session Expiration Protection Conclusion Web Security, Summer Term 2012 7 Broken Authentication and Session Management 2

Broken Authentication and Session Management Account credentials and sessions tokens are often not properly protected A third can access to one s account Attacker compromise password, keys or authentication token Risks Undermine authorization and accountability controls cause privacy violation Identity Theft Method of attack: use weaknesses in authentication mechanism Logout Password Management Timeout Remember me... Web Security, Summer Term 2012 7 Broken Authentication and Session Management 3

Brute Force Attack (Cont.) Automated process of trial and error Guess a person username and password, credit-card number, cryptographic key,... System sends a value and waits for the response, then tries another value, and so on. Many systems allow the use of weak passwords An attacker will cycle through a dictionary (word by word) Generates thousands (potentially millions) of incorrect guesses When the guessed password is OK, attacker can access the account! Same technic can be used to guess encryption keys When the size of the key is small, An attacker will test all possible keys Web Security, Summer Term 2012 7 Broken Authentication and Session Management 4

Brute Force Attack (Cont.) Normal Brute Force For one username, Attacker tests many passwords Username = Emmanuel Passwords = zizou, zidane, michael-schumacher, [pet names], [birthdays], [car names],... Reverse Brute Force For one password, Attacker tests many usernames Efficient if the system has millions of users The chance that many users use the same weak password dramatically increases. Usernames= Emmanuel, Jan, Eric, Guenter,... Password = 12345678 Web Security, Summer Term 2012 7 Broken Authentication and Session Management 5

Session Spotting Attacker has the possibility to listen to the traffic of the victim Listens to the traffic at the IP level (sniffer) Client connects to the HTTP server www.mysite.com Visits a page containing a login form (url is HTTPS) Receives a cookie containing his session ID Sends his credentials encrypted (HTTPS) Attacker receives following information Session ID Sees that the user has sent his credentials (using an encrypted connection to the server) Attacker can use the cookie to be recognized as the legitimate user! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 6

Replay Attack Suppose the Victim wants to log on a web site Victim sends username and password Web Site verifies the couple If an attacker can listen to the information transfered Sniffer (unencrypted) / Trojan (encrypted) / Fishing / Man in the Middle... He can log-in the system using Username and Password Solution: Use challenge response The site sends a challenge The message sent by the user is a response to this challenge Web Security, Summer Term 2012 7 Broken Authentication and Session Management 7

Replay Attack (Cont.) Examples of Challenge/Response systems UBS (Swiss Bank) login system User receives a card and an autonomous card reader system when the user wants to log in, he first need to be recognized by the card Types a PIN on the card reader User receives a challenge sent by UBS User types the challenge in the card reader The card computes a response (can be used only one time) The user types the response of the system on the screen User is logged in! No replay Attack is possible here, since the information transferring on the network is only usable once. Web Security, Summer Term 2012 7 Broken Authentication and Session Management 8

Session Fixation Attack Attacker creates a session on a web site Sends a Request, Get a Response containing a cookie (SESSION ID=1234abcd5678) Attacker needs to maintain this session alive (send requests regularly) Attacker sends this Session ID to the victim Can be included in a phishing. He sends an email containing the reference to the following URL : http: //www.gmail.com/?page=...&session_id=1234abcd. Can be just a reference to an image on the targeted site: <img src="http://www.gmail.com/?session_id=1234abcd"> Web Security, Summer Term 2012 7 Broken Authentication and Session Management 9

Session Fixation attack (Cont.) The session can be transfered using two means: URL parameter Cookie Targeted Web site receives the request from the victim Receives a valid SESSION ID, Resends it in the links contained in the page + as cookie The page is not evaluated (browser expects an image or a javascript or a CSS or anything) But the cookie is stored in the browser. Next time the victim visits the target Browser sends automatically the cookie in the Request. Victim logs in When the attacker checks the session he/she receives the rights of the victim! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 10

Session Fixation Attack (Cont.) Do not accept preset or invalid session identifiers It is the door for Session Fixation Attack Web Security, Summer Term 2012 7 Broken Authentication and Session Management 11

Session Hijacking Credential/Session Prediction Attacker deduce or guess the session id Attacker can use the web site with victim s privileges Rights are stored in a session, only the session id is used to link the browser and its session HTTP is session-less Information is not resent in each request Guessing the Session ID permits to be the user Web Security, Summer Term 2012 7 Broken Authentication and Session Management 12

Session Hijacking: Example Many web sites generate session ID with proprietary algorithms Increment static numbers Can be more complicated (factoring in time and other computer specific variables) Session ID is sent to the client An attack can be: Attacker connects to the web site and gets a session ID Attacker calculates or Brute Forces the next session ID Attacker switches the value of the cookie and assumes the identity of the next user! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 13

Insufficient Session Expiration Can be exploited on a shared computing environment More than one person has physical access to a computer Suppose logout function sends the victim to site s home-page without deleting the session Or more likely, that the user just closed the window without logging-out Another user could go through the browser s history and view pages accessed by the victim Since the victim s session ID has not been deleted, The attacker would be able to get the privileges of the victim. Web Security, Summer Term 2012 7 Broken Authentication and Session Management 14

Protection Authentication relies on secure communication and credential storage SSL should be the only option for all authenticated parts of the application Otherwise, listening to credential is possible All credentials should be stored in hashed or encrypted form Attack on the database or file system should not compromise credentials password should systematically be hashed Private keys should never be stored clear text Web Security, Summer Term 2012 7 Broken Authentication and Session Management 15

No self-made session or SSO system Only use inbuilt session management mechanism Do not write or use secondary session handlers! Do not use remember me or home grown Single Sign On Does not apply to robust SSO or federated authentication solutions Writing a robust and secure solution requires high knowledge in security Cryptography Storage... Web Security, Summer Term 2012 7 Broken Authentication and Session Management 16

Protection (Cont.) Use a single authentication mechanism With appropriate strength and number of factors Ensure it is hard to spoofing and replay attacks Do not make the mechanism overly complex it may become subject to an attack Web Security, Summer Term 2012 7 Broken Authentication and Session Management 17

Start login process from an encrypted page Do not allow the login process to start from an unencrypted pages Always start login from a second page Encrypted Using a fresh or new session token Prevents credential or session stealing Phishing attacks and Session Fixation attacks Web Security, Summer Term 2012 7 Broken Authentication and Session Management 18

Take Care of Logout Ensure that every page has a logout link Users should not have to go to the start page to logout Logout should destroy the credentials All server side session state Client cookies Consider Human Factor Do not ask for confirmation Users will end up closing the window rather than logging out successfully Give the users information about closing sessions Use a timeout period Automatically logs out an inactive session Web Security, Summer Term 2012 7 Broken Authentication and Session Management 19

Use only strong ancillary authentication functions Ancillary authentication functions? Questions and answers for password reset Example: Maiden name of the mother : can be known from social engineering Date of birth : can be found City of birth : can be tested using a catalog attack (try all the cities in Germany) Answers should never be stored clear text Always use a one way hash function (SHA2 for instance) Web Security, Summer Term 2012 7 Broken Authentication and Session Management 20

No spoofable credentials as authentication Do not rely on credentials that can be spoofed TCP/IP spoofing IP Addresses Address range masks DNS or reverse DNS lookups... HTTP spoofing Referrer Header Web Security, Summer Term 2012 7 Broken Authentication and Session Management 21

Be careful with e-mails Do not send e-mails containing passwords Can be read Use limited-time-only random numbers to reset access And send a follow up e-mail as soon as the password has been reset Be careful of allowing users to change e-mail Send a message to the previous e-mail address before enacting the change Web Security, Summer Term 2012 7 Broken Authentication and Session Management 22

Conclusion Attacks on Credentials are numerous Session / Username and passwords / Keys From Brute Force to Session Hijacking Protection may be related with risk If you are maintaining a guestbook, or a bank site Security can not be maintained at the same level Ratios Cost/Efficiency/Usability New development Use Biometrics for providing the credentials Axionics Cards uses fingerprint Keystroke biometrics may be used for password recovery. Web Security, Summer Term 2012 7 Broken Authentication and Session Management 23

References OWASP Top 10-2007 http://www.owasp.org/index.php/top_10_2007 A Guide for Building Secure Web Applications and Web Services http://www.lulu.com/content/1401012 Web Application Security Consortium: Threat Classification (2004) http://www.webappsec.org Web Security, Summer Term 2012 7 Broken Authentication and Session Management 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback