Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Slides:



Advertisements
Similar presentations
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Advertisements

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Attacking Session Management Juliette Lessing
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March
PHP Security.
Web Security Overview Lohika ASC team 2009
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
ITM 352 Cookies.
Web Programming Language
PHP Forms and Databases.
Presentation transcript:

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Adam Doupé, Security and Vulnerability Analysis Definitions Authentication –Who is the user? –Breaking means impersonating another user Authorization –What is the user allowed to do? Admin, regular, guest, … –Attacking means performing actions that you're not allowed to do Often intertwined –If you're able to break the authentication to log in as a different user, then you've also broken authorization

Adam Doupé, Security and Vulnerability Analysis Attacking Authentication Eavesdropping credentials/authenticators Brute-forcing/guessing credentials/authenticators Bypassing authentication –SQL Injection (later) –Session fixation

Adam Doupé, Security and Vulnerability Analysis Eavesdropping Credentials and Authenticators If the HTTP connection is not protected by SSL it is possible to eavesdrop the credentials: –Username and password sent as part of an HTTP basic authentication exchange –Username and password submitted through a form –The authenticator included as cookie, URL parameter, or hidden field in a form The "secure" flag on cookies is a good way to prevent accidental leaking of sensitive authentication information

Adam Doupé, Security and Vulnerability Analysis Brute-forcing Credentials and Authenticators If authenticators have a limited value domain they can be brute-forced (e.g., 4-digit PIN) –Note: lockout policies might not be enforced in mobile web interfaces to accounts If authenticators are chosen in a non-random way they can be easily guessed –Sequential session IDs –User-specified passwords –Example: observed at 15:10 of November 9, 2010 Long-lived authenticators make these attacks more likely to succeed 5

Adam Doupé, Security and Vulnerability Analysis Bypassing Authentication Form-based authentication may be bypassed using carefully crafted arguments Authentication, in certain case can be bypassed using forceful browsing Weak password recovery procedures can be leveraged to reset a victim’s password to a known value Session fixation forces the user’s session ID to a known value –For example, by luring the user into clicking on a link such as: foo The ID can be a fixed value or could be obtained by the attacker through a previous interaction with the vulnerable system 6

Adam Doupé, Security and Vulnerability Analysis Session Fixation (1) GET /login.py (2) session=4242 bank.com 7 (3) GET /form.py?user=joe&pwd=foo&session=4242 (4) GET /balance.py?session=4242 (4) OK

Adam Doupé, Security and Vulnerability Analysis Session Fixation (1) GET /login.py (2) session=55181 (6) GET /balance.py?session=55181 (3) Attacker lures victim into clicking on (4) GET /login.py?session=55181 (5) GET /form.py?user=joe&pwd=foo&session=55181 bank.com Victim Attacker 8

Adam Doupé, Security and Vulnerability Analysis Session Fixation If the application blindly accepts an existing session ID, then the initial setup phase is not necessary Session IDs should always be regenerated after login and never allowed to be “inherited” Session fixation can be composed with cross-site scripting to achieve session id initialization (e.g., by setting the cookie value) See: M. Kolsek, “Session Fixation Vulnerability in Web-based Applications” 9

Adam Doupé, Security and Vulnerability Analysis Authorization Attacks Path/directory traversal attacks –Break out of the document space by using relative paths GET /show.php?file=../../../../../../etc/passwd Paths can be encoded, double-encoded, obfuscated, etc: –GET show.php?file=%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd Forceful browsing –The Web application developer assumes that the application will be accessed through links, following the “intended paths” –The user, however, is not bound to follow the prescribed links and can “jump” to any publicly available resource Automatic directory listing abuse –The browser may return a listing of the directory if no index.html file is present and may expose contents that should not be accessible 10

Adam Doupé, Security and Vulnerability Analysis Authorization Attacks Parameter manipulation –The resources accessible are determined by the parameters to a query –If client-side information is blindly accepted, one can simply modify the parameter of a legitimate request to access additional information GET /cgi-bin/profile?userid=1229&type=medical GET /cgi-bin/profile?userid=1230&type=medical Parameter creation –If parameters from the URL are imported into the application, can be used to modify the behavior GET /cgi- bin/profile?userid=1229&type=medical&admin=1 11

Adam Doupé, Security and Vulnerability Analysis PHP register_global The register_global directive makes request information, such as the GET/POST variables and cookie information, available as global variables Variables can be provided so that particular, unexpected execution paths are followed 12

Adam Doupé, Security and Vulnerability Analysis PHP – register_globals Feedback Page Feedback Page <?php if ($name && $comment) { $file = fopen("user_feedback", "a"); fwrite($file, "$name:$comment\n"); fclose($file); echo "Feedback submitted\n"; } ?>

Adam Doupé, Security and Vulnerability Analysis Example <?php if ($_GET["password"] == "secretunguessable1u90jkfld") { $admin = true; } if ($admin) { show_secret_admin_stuff(); } … ?>

Adam Doupé, Security and Vulnerability Analysis – GET /example.php?password=foo&admin=1 <?php if ($_GET["password"] == "secretunguessable1u90jkfld") { $admin = true; } if ($admin) { show_secret_admin_stuff(); } … ?>

Adam Doupé, Security and Vulnerability Analysis Server (Mis)Configuration: Unexpected Interactions FTP servers and web servers often run on the same host If data can be uploaded using FTP and then requested using the web server it is possible to –Execute programs using CGI (upload to cgi-bin) –Execute programs as web application –…–… If a web site allows one to upload files (e.g., images) it might be possible to upload content that is then requested as a code component (e.g., a PHP file) 16

Adam Doupé, Security and Vulnerability Analysis Summary Attacks against Authentication and Authorization allow one to trick the web applications –Thinking that you're someone else –Giving you access to something that you shouldn't

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.