Combating Common Web App Authentication Threats

Similar documents
Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Web Application Security. Philippe Bogaerts

Evaluating Alternatives to Passwords

Web Security, Summer Term 2012

Web Security, Summer Term 2012

WHY CSRF WORKS. Implicit authentication by Web browsers

CSCE 813 Internet Security Case Study II: XSS

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Welcome to the OWASP TOP 10

En#ty Authen#ca#on and Session Management

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Sichere Software vom Java-Entwickler

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CIS 4360 Secure Computer Systems XSS

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Application Layer Security

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Bank Infrastructure - Video - 1

Instructions 1 Elevation of Privilege Instructions

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

COMP9321 Web Application Engineering

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

C1: Define Security Requirements

Solutions Business Manager Web Application Security Assessment

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

RKN 2015 Application Layer Short Summary

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

EasyCrypt passes an independent security audit

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

ANIXIS Password Reset

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

W H IT E P A P E R. Salesforce Security for the IT Executive

P2_L12 Web Security Page 1

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Security context. Technology. Solution highlights

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

WHITE PAPER. Authentication and Encryption Design

Microsoft Unified Access Gateway 2010

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

msis Security Policy and Protocol

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Endpoint Security - what-if analysis 1

INNOV-09 How to Keep Hackers Out of your Web Application

Scan Report Executive Summary

Identity, Authentication and Authorization. John Slankas

Exploiting and Defending: Common Web Application Vulnerabilities

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Robust Defenses for Cross-Site Request Forgery

Software and Web Security 2

Application vulnerabilities and defences

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

GET YOUR APP READY FOR QUICKBOOKS CONNECT

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

WEB SECURITY: XSS & CSRF

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection


Integrated Access Management Solutions. Access Televentures

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

CS 161 Computer Security

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Lecture 9a: Sessions and Cookies

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

1 About Web Security. What is application security? So what can happen? see [?]


CS 155 Project 2. Overview & Part A

Lesson 13 Securing Web Services (WS-Security, SAML)

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Computer Security 3/20/18

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Managing Certificates

Advantage Cloud Two-Factor Security Process

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

How to Configure Authentication and Access Control (AAA)

Configure Settings and Customize Notifications on FindIT Network Probe

CS 142 Winter Session Management. Dan Boneh

maxecurity Product Suite

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

SECURE CODING ESSENTIALS

COMP9321 Web Application Engineering

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

ColdFusion Application Security: The Next Step - Handout

Configuring Request Authentication and Authorization

COMP9321 Web Application Engineering

DreamFactory Security Guide

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Base64 The Security Killer

Robust Defenses for Cross-Site Request Forgery Review

GOING WHERE NO WAFS HAVE GONE BEFORE

CSWAE Certified Secure Web Application Engineer

Transcription:

Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com

Key Topics Key Presentation Topics Understanding Web App Authentication Managing User Authentication Securing Session Authentication Copyright 2005 Security PS 2

Web App Authentication Web App Authentication Challenges Authentication takes place with every browser-server interaction HTTP natively transmits data unencrypted Developers often fail to understand their responsibility for good authentication design Attackers are getting better at defeating web app authentication systems Copyright 2005 Security PS 3

Authentication System Model Authenticator Transport Input Verification Copyright 2005 Security PS 4

Protecting Web Content Protecting Web Content Segment protected content from unprotected Authenticate users prior to granting content access Map only appropriate user permissions or roles to content Don t rely on obscurity! Copyright 2005 Security PS 5

Types of Web Authentication Type of Web Authentication HTTP integrated Basic Digest NTLM / Kerberos Form-based POST delivered parameters Copyright 2005 Security PS 6

Protecting Data with SSL Protecting Data with SSL Allows Web server to prove identity w/ certificate from trusted Certificate Authority Initiates encrypted communications between browser and Web server Supports multiple encryption algorithms for weak to stronger protection May be needed during entire Web session, and not just during authentication Copyright 2005 Security PS 7

User Authentication User Authentication Normally relies on username and password Consider using a unique, but not meaningless, username standard Not Social Security numbers Not overly simple/predictable numbers or names Be wary of email addresses Copyright 2005 Security PS 8

Enforcing Good Passwords Enforcing Good Passwords Don t leave it all up to the user s discretion Enforce basic requirements Length Character Composition Name and word rejection Maximum lifetime Start with a good and unique default Require change upon first login Copyright 2005 Security PS 9

Error Messages Authentication Error Messages Prevent disclosure of username match in login failure messages User account not found or Password incorrect Error retrieving/updating the SecurityUserEntity or User ID or password entered is not valid Copyright 2005 Security PS 10

Auditing Authentication Failures Auditing Authentication Failures Log all successful and failed logins Alert staff when failed logins hit threshold Consider IP block or account lockout Notify user of last successful login and unsuccessful attempts Copyright 2005 Security PS 11

Forgotten Passwords Forgotten Passwords Human-centered systems for dealing with forgotten passwords are more costly Automated systems pose security challenges View password hint Provide answer to secondary secret Provide answers to pre-selected questions Email existing/new password to user Consider forcing logoff after password change Copyright 2005 Security PS 12

Password Storage Password Storage Password database should be well protected Obfuscate stored passwords using a one-way cryptographic hash function Seed hash function for greater security Copyright 2005 Security PS 13

Alternative Authenticators Alternative Authenticators Make sure that alternative means of authenticating are appropriately secure Order numbers Phone numbers Consider stronger authentication factors Hardware tokens Software tokens Client-side certificates Biometrics Copyright 2005 Security PS 14

Session IDs Session IDs Identify the user to the Web application with a temporary ID Usually stored and transmitted as a cookie Can be stored in the URL Assigned either after or prior to user authentication As valuable as a password Copyright 2005 Security PS 15

Cookie Assignment & Use GET http://www.shopapp.com/ HTTP/1.1 Host: www.shopapp.com HTTP/1.1 200 OK Date: Wed, 03 Aug 2005 19:55:04 GMT Set-Cookie: FPB=dc1hj7k1g11f288p; expires=thu, 01-Jun-2006 19:00:00 GMT; path=/; domain=www.shopapp.com Connection: close GET http:// www.shopapp.com/home.asp HTTP/1.1 Host: www.shopapp.com Cookie: FPB=dc1hj7k1g11f288p Copyright 2005 Security PS 16

Strong Session IDs Critical Factors for Strong Sessions Privacy Must be difficult to capture Predictability Must be difficult to predict Key Space Must be difficult to brute force Time Window Must be valid for limited time only Copyright 2005 Security PS 17

Session IDs - Privacy Requirement 1: Privacy Lack of SID Privacy Leads to Session Theft: 1. Obtain a valid session ID from another user s session 2. Substitute session ID and assume victim s Session ID Privacy Tips: Use SSL Use cookie flags (e.g. secure, path, non-persistent) Pass ID securely (e.g. Not in URL) Copyright 2005 Security PS 18

Session IDs - Predictability Requirement 2: Very Low Predictability Predicting A Session ID: Gather a number of cookies Find pattern; predict existing or future IDs Use predictions to steal user sessions sessionid=49pakd43301356f sessionid=49pakd43301357f sessionid=49pakd43301358f sessionid=49pakd43301359f sessionid=49pakd43301360f sessionid=49pakd43301361f Copyright 2005 Security PS 19 Example: Single increment pattern. Simple to predict.

Session IDs Key Space Requirement 3: Large Key Space Brute Forcing a Session ID: Gather a number of cookies Find any pattern to reduce key space Use a script to generate and test cookies sessionid=49akd494958f sessionid=49akd483492f sessionid=49akd459304f sessionid=50akd431333f sessionid=50akd412983f sessionid=50akd463340f Copyright 2005 Security PS 20 Example: ID with constant, pattern, and randomized values. Brute force-able.

Session IDs Time Window Requirement 4: Limited Time Window Limiting the time for an attacker to brute force, predict, or steal a session Must balance timeframe with annoyance to user Associate a server-side timestamp with each session ID Refresh timestamp each time a request associated with the session is received Give users a logoff button that expires session ID Copyright 2005 Security PS 21

Hidden Parameter Manipulation Hidden Parameter Manipulation Allow an app to access data hidden from user <form action= /comment.asp /comment.asp method= POST POST > Comment: <input name= comment comment size=20> <input type= submit submit > <input type= hidden hidden name= userid userid value= bmarshall bmarshall > </form> User Sees: Comment: I like this site Submit App Sees: comment=i like this site userid=bmarshall Copyright 2005 Security PS 22

Hidden Parameter Manipulation Parameter Injection Expected application behavior is changed by inserting parameters into a request Common examples: admin=1 Mode=debug discount_code=102 Copyright 2005 Security PS 23

Cross-Site Scripting Cross-Site Scripting (XSS) Your application may be tricked into serving up an attacker s HTML or scripts to users Commonly used to steal the user s session ID May be used to steal username & password credentials from a form Copyright 2005 Security PS 24

Cross-Site Scripting Normal Application Operation: Step 1: User submits input Step 2: Application processes input, stores values: Name = Kris Drent Email = kdrent@securityps.com Steps 3-4: Application retrieves values from database and places them on HTML page: <td> Kris Drent </td> <td> <a href= mailto:kdrent@securityps.com >kdrent@securityps.com</a> <td> Copyright 2005 Security PS 25

Cross-Site Scripting Exploited Operation: Phase 1: User submits name with unexpected HTML tags: Steve Rodgers<script>alert( Gotcha )</script> Phase 2: Application processes input, stores values: name= Steve Rodgers<script>alert( Gotcha )</script> email= srodgers@securityps.com Phase 3-4: Application retrieves values from database and places them on HTML page: <td> Steve Rodgers<script> alert( Gotcha ) </script> </td> <td> <a href= mailto:srodgers@securityps.com >srodgers@securityps.com</a> Copyright 2005 Security PS 26 <td>

XSS Solutions Cross-Site Scripting Solutions Perform data validation Inspect all input for expected characters and formatting Prepare all output for proper encoding Build this into global app data validation library for regular reuse Copyright 2005 Security PS 27

Phishing Phishing Act of tricking users into sending their login credentials or other info to attacker Must focus on user to hinder Educate about communication policies Stick with communication policies Authenticate the organization to the user Make phishing easy to report Copyright 2005 Security PS 28

Summary Summary & Call to Action Take initiative to implement strong user authentication now Investigate how web apps handle session ID generation and management Validate input to prevent XSS and SQL injection Visit www.passwordresearch.com Copyright 2005 Security PS 29

Copyright 2005 Security PS 30 Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback