Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP OWASP Rochester Investigating: Web Site Access Control, Authentication, and Session Management Problems by Steve Buck

OWASP Web Site Access Control  What is Access Control?  When is Access Control Used?  How can Access Control Break?  How can Access Control Problems be fixed?

OWASP What is Access Control?  Mechanism used to govern what valid users can do on a website.  Users should only be able to access the information that they are supposed to be allowed to access.  Unauthenticated users should not be allowed to access areas meant only for authenticated users.  Users must be authenticated.  Is sometimes called authorization.

OWASP When is Access Control Used?  Whenever a web site has information that needs to be protected.  To protect company sensative information.  Can also be used to protect external APIs

OWASP How Can Access Control Break?  Many, many ways.  It is a simple problem to think about, but not necessarily a simple solution.  Sometimes developers will implement that authentication scheme and forget to implement a good access control mechanism.  Sometimes the rules for the access control mechanism are too complex and just do not work.

OWASP How to Fix Access Control Problems  Evaluate your needs, break your access down to:  Users  Label users by type.  Assets  Access Rules  Once this breakdown has taken place, capture the rules in one central rules router.

OWASP How to Fix...part 2  “If you can't easily explain your access control mechanism...it's probably broken.”  When the rules are captured, there needs to be a mechanism that will that will allow these rules to be implemented:  AccessController + security.policy as part of J2SE  Custom built ACL's and capability lists.

OWASP How to Test Access Control  No one “right” way to test access control.  There are some tools:  WebGoat  WebScarab  None of these are really comprehensive.  Have someone that knows the business rules and the technology try to break it.

OWASP Authentication and Session Management  What is the purpose of Authentication and Session Management?  What are some important issues to be aware of in reguard to session management and authentication?  How are these session management and authentication problems detected?  How are these session management and authentication problems resolved?

OWASP Purpose of Authentication and Session Management  The purpose of Authentication is to make sure that a person signing into the site is who they say they are.  Session management is used to maintain information about the user in a container accessible programatically by the webapp.

OWASP Issues with Authentication and Session Management  Plain text authentication.  Authentication done with a “GET” method.  Session Hijacking.  Session Fixation.

OWASP Plain Text Authentication  Authentication is usually done with a textual username and password login.  If there is no encryption of this login between the browser and client, the authentication mechanism leaves itself vulnerable to snooping.

OWASP “GET” method Authentication  The authentication becomes vulnerable because when the “GET” method is used, it will leave all of the page parameters in the URL.  This means if the user happens to copy or bookmark that URL they will store their username and password in the copied/bookmarketed URL.

OWASP Session Hijacking  There are many ways in which session hijacking can occur.  This can happen from everything from an intentional targeted attack to even something accidental.  The important thing is that even though there may not be any specifically sensative material passed, the attacker can possibly get to sesative material through hijacking the session.

OWASP Session Fixation  There is nothing accidental with session fixation.  The attacker will start a legitimate session on the app server.  The attacker with then force the victim into taking that session and attaching their authorized account to the session.  Once that has occurred, the attacker has access to the victim's account.

OWASP How are these problems detected?  Can detected through scanning tools, such as nessus, nmap, etc.  Can be detected by security minded QA divisions.  Unfortunatly these problems usually slip out to production at one point or another in an app's production lifetime.  So sometimes they are detected by the application users.

OWASP How are these problems solved?  There are many different things that can be done in order to solve these problems:  Make sure that all authentication happens in an SSL environment with good certificates.  Make sure that authentication is done some other way than with a post.  Use cookies for session maintenance.  Require re-authentication whenever important activities take place.  Be very careful with sesative information.

OWASP Solving Problems Part 2  A lot of the problems are solved for us depending upon what sort of environment we are working in. For example:  Most web application servers will maintain sessions for us now, we just have to configure them properly.  There are some cases where application frameworks are purchased (i.e. “portal” apps) that will take care of the authentication for us.