Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Similar documents
Web Security, Summer Term 2012

Web Security, Summer Term 2012

Combating Common Web App Authentication Threats

Hacking Web Sites OWASP Top 10

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Bank Infrastructure - Video - 1

Authentication Security

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Application Security. Philippe Bogaerts

Copyright

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

En#ty Authen#ca#on and Session Management

Computer Security 3/20/18

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

5. Authentication Contents

Hacking Web Sites 3) Insecure Direct Object Reference

Welcome to the OWASP TOP 10

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CSC 474 Network Security. Authentication. Identification

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

Web Programming 4) PHP and the Web

Secure Session Management

Security Awareness. Chapter 2 Personal Security

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Authentication Methods

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Lecture 3 - Passwords and Authentication

CS530 Authentication

Curso: Ethical Hacking and Countermeasures

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CSE 565 Computer Security Fall 2018

P2_L12 Web Security Page 1

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Who are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that

Endpoint Security - what-if analysis 1

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Vidder PrecisionAccess

1 About Web Security. What is application security? So what can happen? see [?]

Intruders, Human Identification and Authentication, Web Authentication

Lecture 3 - Passwords and Authentication

Cyber security tips and self-assessment for business

SE420 Software Quality Assurance

Controlling Website Account Information. A recent survey done by Privacy Rights Clearinghouse shows that in the past five years

Chapter 2. Switch Concepts and Configuration. Part II

Frequently Asked Questions (FAQ)

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Introduction...1. Authentication Methods...1. Classes of Attacks on Authentication Mechanisms...4. Security Analysis of Authentication Mechanisms...

Security and Authentication

Computer Security 4/12/19

Web Application Whitepaper

COMP9321 Web Application Engineering

Solutions Business Manager Web Application Security Assessment

Web Security: Countermeasures for Application level Attacks

Security and Privacy

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Robust Defenses for Cross-Site Request Forgery

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Pass, No Record: An Android Password Manager

CNT4406/5412 Network Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Defeating All Man-in-the-Middle Attacks

Troubleshooting. EAP-FAST Error Messages CHAPTER

Security context. Technology. Solution highlights

Access Controls. CISSP Guide to Security Essentials Chapter 2

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Keep the Door Open for Users and Closed to Hackers

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

ACS 5.x: LDAP Server Configuration Example

CS 142 Winter Session Management. Dan Boneh

On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Application Layer Security

e-commerce Study Guide Test 2. Security Chapter 10

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Internet Security VU Web Application Security 3. Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Robust Defenses for Cross-Site Request Forgery


CSWAE Certified Secure Web Application Engineer

HOST Authentication Overview ECE 525

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Securing Internet Communication: TLS

Transcription:

Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking Session Expiration Protection Conclusion Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2 Broken Authentication Introduction Account credentials and sessions tokens are often not properly protected A third party can access to one s account Attacker compromise password, keys or authentication token Risks Undermine authorization and accountability controls cause privacy violation Identity Theft Method of attack: use weaknesses in authentication mechanism Logout Password Management Timeout Remember me... Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 3 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 4

Examples of Attacks Brute Force Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 5 Brute Force Attack Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 6 Brute Force Attack (Cont.) Automated process of trial and error Guess a person username and password, credit-card number, cryptographic key,... System sends a value and waits for the response, then tries another value, and so on. Often done off-line with extracts of the DataBase Can be done on-line on unprotected sites Many systems allow the use of weak passwords An attacker will cycle through a dictionary (word by word) Generates thousands (potentially millions) of incorrect guesses When the guessed password is OK, attacker can access the account! Same technic can be used to guess encryption keys When the size of the key is small, An attacker will test all possible keys Normal Brute Force For one username, Attacker tests many passwords Username = Emmanuel Passwords = 1234567, qwertz, asdfgh, abcd,... [pet names], [birthdays], [car names], [dictionary]... Reverse Brute Force For one password, Attacker tests many usernames Efficient if the system has millions of users The chance that many users use the same weak password dramatically increases. Usernames= Emmanuel, Jan, Eric, Guenter,... Password = 12345678 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 7 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 8

Session Spotting Session Spotting Attacker has the possibility to listen to the traffic of the victim Listens to the traffic at the IP level (sniffer) Client connects to the HTTP server www.mysite.com Visits a page containing a login form (url is HTTPS) Receives a cookie containing his session ID Sends his credentials encrypted (HTTPS) Attacker receives following information Session ID Sees that the user has sent his credentials (using an encrypted connection to the server) Attacker can use the cookie to be recognized as the legitimate user! Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 9 Unsecure cookies Attacker has the possibility to listen to the traffic of the victim Listens to the traffic at the IP level (sniffer). Client connects to the HTTPS server https://www.mybank.com Client receives a cookie containing the session ID. This cookie is resent each time the browser accesses this site. The cookie is linked to an active session on the secure server. Victim visits a page on the unsecure web site http://www.mybank.com For seeing some advertisement for instance. The cookie (if not secure ) will be sent unencrypted to the server. Attacker can see the sessionid Attacker can impersonate the victim Solution: Use only secure cookies (set the bit secure on) Do not reuse existing cookies. Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 11 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 10 Replay Attack Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 12

Replay Attack Replay Attack (Cont.) Examples of Challenge/Response systems Suppose the Victim wants to log on a web site Victim sends username and password Web Site verifies the couple If an attacker can listen to the information transfered Sniffer (unencrypted) / Trojan (encrypted) / Fishing / Man in the Middle... He can log-in the system using Username and Password Solution: Use challenge response The site sends a challenge The message sent by the user is a response to this challenge UBS login system User receives a card and an autonomous card reader system when the user wants to log in, he first need to be recognized by the card Types a PIN on the card reader User receives a challenge sent by UBS User types the challenge in the card reader The card computes a response (can be used only one time) The user types the response of the system on the screen User is logged in! No replay Attack is possible here, since the information transferring on the network is only usable once. Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 13 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 14 Session Fixation Attack Session Fixation Attack Attacker creates a session on a web site Sends a Request, Get a Response containing a cookie (SESSION ID=1234abcd5678) Attacker needs to maintain this session alive (send requests regularly) Attacker sends this Session ID to the victim Can be included in a phishing. He sends an email containing the reference to the following URL : https: //www.ebanking.com/?page=...&session_id=1234abcd. Can be a link: <a href="https://www.ebanking.com/?session_id=1234abcd"> Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 15 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 16

Session Fixation attack (Cont.) Session Fixation Attack (Cont.) Victim clicks on the given link <a href="https://www.ebanking.com/?session_id=1234abcd"> Browser sends automatically the SessionID within the request Session 1234abcd is used by the victim Victim logs in, The session is valid. When the attacker checks the session he/she receives the rights of the victim! Do not accept preset or invalid session identifiers It is the door for Session Fixation Attack Reset the SessionID when a login occurs Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 17 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 18 Session Hijacking Session Hijacking Credential/Session Prediction Attackers deduce or guess the session id Attackers can use the web site with victim s privileges Rights are stored in a session, only the session id is used to link the browser and its session HTTP is session-less Information is not resent in each request Guessing the Session ID permits to be the user Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 19 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 20

Session Hijacking: Example Real life Example Many web sites generate session ID with proprietary algorithms Increment static numbers Can be more complicated (factoring in time and other computer specific variables) Session ID is sent to the client An attack can be: Attacker connects to the web site and gets a session ID Attacker calculates or Brute Forces the next session ID Attacker switches the value of the cookie and assumes the identity of the next user! One web site has a password lost page Users having lost their password ask for a renewal They receive an email containing a link: <a href="https://site.com/reset?token=34349ab9938bc"> Renew Password </a> User clicks on this link, he accesses a page where he can reset his password. Token is generated by a PRNG Pseudo Random Number Generator are well known. PRNG of PHP, Java, C, Phython,... are well documented A number is used as seed for the next number If one knows one number, one can generate the next one Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 21 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 22 Real life Example (Cont.) Exploit Ask for renewal of password of a real user Get the token Ask for the renewal of password of the administrator Mail is sent to the admin (attacker can not read it) Use the first token as seed to get the new token Use the new token to reset the password of the admin. Session Expiration Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 23 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 24

Insufficient Session Expiration Can be exploited on a shared computing environment More than one person has physical access to a computer Suppose logout function sends the victim to site s home-page without deleting the session Or more likely, that the user just closed the window without logging-out Another user could go through the browser s history and view pages accessed by the victim Since the victim s session ID has not been deleted, The attacker would be able to get the privileges of the victim. Protection Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 25 Protection Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 26 No self-made session or SSO system Authentication relies on secure communication and credential storage SSL should be the only option for all authenticated parts of the application Otherwise, listening to credential is possible All credentials should be stored in hashed or encrypted form Attack on the database or file system should not compromise credentials password should systematically be hashed Private keys should never be stored clear text Only use inbuilt session management mechanism Do not write or use secondary session handlers! Do not use remember me or home grown Single Sign On Does not apply to robust SSO or federated authentication solutions Writing a robust and secure solution requires high knowledge in security Cryptography Storage... Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 27 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 28

Protection (Cont.) Start login process from an encrypted page Use a single authentication mechanism With appropriate strength and number of factors Ensure it is hard to spoofing and replay attacks Do not make the mechanism overly complex it may become subject to an attack Do not allow the login process to start from an unencrypted pages Always start login from a second page Encrypted Using a fresh or new session token Prevents credential or session stealing Phishing attacks and Session Fixation attacks Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 29 Take Care of Logout Ensure that every page has a logout link Users should not have to go to the start page to logout Logout should destroy the credentials All server side session state Client cookies Consider Human Factor Do not ask for confirmation Users will end up closing the window rather than logging out successfully Give the users information about closing sessions Use a timeout period Automatically logs out an inactive session Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 30 Use only strong ancillary authentication functions Ancillary authentication functions? Questions and answers for password reset Example: Maiden name of the mother : can be known from social engineering Date of birth : can be found in Facebook (or even Wikipedia) City of birth : can be tested using a catalog attack (try all the cities in Switzerland) Answers should never be stored clear text Always use a one way hash function (SHA2 for instance) Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 31 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 32

No spoofable credentials as authentication Be careful with e-mails Do not rely on credentials that can be spoofed TCP/IP spoofing IP Addresses Address range masks DNS or reverse DNS lookups... HTTP spoofing Referrer Header Do not send e-mails containing passwords Can be read Use limited-time-only random numbers to reset access And send a follow up e-mail as soon as the password has been reset Be careful of allowing users to change e-mail Send a message to the previous e-mail address before enacting the change Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 33 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 34 Conclusion Conclusion Attacks on Credentials are numerous Session / Username and passwords / Keys From Brute Force to Session Hijacking Protection may be related with risk Risk for a guestbook e-banking Security can not be maintained at the same level Ratios Cost/Efficiency/Usability New development Use Biometrics for providing the credentials Axionics Cards used fingerprint Keystroke biometrics may be used for password recovery. Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 35 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 36

References OWASP Top 10, A2:2017 http://www.owasp.org/index.php/top_10_2017 OWASP - A Guide for Building Secure Web Applications and Web Services Web Application Security Consortium: Threat Classification http://www.webappsec.org Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback