Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Login, Cookies 2015. 01. 26.. Web Login | Old way HTML

Published byDuane Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Login, Cookies 2015. 01. 26.. Web Login | Old way HTML"— Presentation transcript:

1 Web Login, Cookies 2015. 01. 26.

2 Web Login | Old way http://blog.parhammajd.co.uk/css/a-simple-login-form-css/ HTML http://resources.infosecinstitute.com/vulnerable-encoded-url/

3 What’s Wrong User ID and password is transferred in plaintext – Anybody can learn your password Adversary can directly send HTTP requet with password in URL – Easy target for brute force attack Very common in 90s to early 2000s https://samsclass.info/123/proj10/p3-sniff.htm

4 Simple Fixes Secure Hash – Send hash of the password instead of plaintext – But… HTTPS – Associate SSL/TLS session before login Most of the web site performs this – But…

5 TLS One-Way Authentication TLS requires digital signature for authentication To sign, signing certificate is required – Issuing user certificates is expensive Current TLS(HTTPS) authentication – Only server signs, client does not  Client authenticates server, but server does not Threat – Nasty proxy server can re-encrypt, re-sign all the packets Most of the hotels and IT kiosks does this thing And many big companies too

6 Simple Attack | SQL Injection txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; http://code.tutsplus.com/tutorials/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations--net-51

7 SQL Injection https://xkcd.com/327/ http://www.abluestar.com/blog/sql-injection-license-plate/

8 SQL Injection Protection Simple solution: Blacklist – Attacker can eventually circumvent Input Sanitization – Modern database engine supports input sanitization feature i.e) @ marker in JavaScript i.e) %Q format string in SQLite

9 How CSRF Works bank.com Web App Web App Browser Bug!Bug! evil.org Web App Web App LoginLogin 1000$1000$ RequestRequest GET / HTTP/1.1 Host: www.evil.org GET / HTTP/1.1 Host: www.evil.org ResponseResponse HTTP/1.1 200 OK...... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/>... HTTP/1.1 200 OK...... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/>... CSRF-AttackCSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com http://www.slideshare.net/BjrnKimminich/web-application-security-21684264

10 Protection From CSRF Add a small token for each request – Should not be automatic – Should be cryptographically strong – Should not be exposed easily CSRF with XSS will be very powerful http://www.slideshare.net/BjrnKimminich/web-application-security-21684264

11 XSS Flow Example Server Browser DatabaseDatabase Web Application Bug!Bug! WebsiteWebsite Server Response HTMLHTML URLURL Initial Request URLURL Subsequent Victim Request http://www.slideshare.net/BjrnKimminich/web-application-security-21684264

12 XSS Pattern Simple Patterns – javascript:alert('XSS'); – Masked / Evasive Patterns – – alert("XSS") "> – Whitelisting of the input is required – There are sanitizer tools (i.e) OWASP HTML JAVA sanitizer http://www.slideshare.net/BjrnKimminich/web-application-security-21684264

13 HTTP Session Management HTTP is “stateless” protocol – Cannot keep information over a series of accesses Server should maintain “session” somehow Simple old solution – Use hidden form in HTML Web server assigns random value on this form User does not see the value BUT…

14 HTTP Cookie A special value created by server and sent to client Client stores the value and attach it on later access to the same domain http://www.slideshare.net/RitikaBarethia/presentation-on-internet-cookies

15 HTTP Cookie | scope Expiry information – (YYYY/MM/DD/, HH/MM/SS) – Usually 20 minutes Path Information – Available path in the domain (i.e /customer/php/) Domain Information – i.e) comp427.edu Etc. http://slideplayer.com/slide/8067872/

16 What’s Wrong This Time It’s still plaintext – Attacker can easily impersonate / hijack – HTTPS can protect this (but not perfectly) https://pineappleorange.wordpress.com/tag/wireshark/

17 Firesheep (2010) A Firefox extension by Eric Butler – Eavesdrop network traffic – Extract unencrypted cookie – Show up hijacked user credential – Attacker can access the site http://www.pcworld.com/article/208773/Firesheeps_a_Huge_Hit_with_Amateur_Hackers.html

18 Solutions Bearer token – Server creates random token to client, other than cookie – Risky when attacker learns the token design Existing solutions – i.e.) Kerberos: Old, but secure authentication protocol Proprietary solutions – Powered by HTML5, many major web sites provides their own solutions

19 Kerberos (v5, 1993) Authentication protocol – Part of MIT Project (Athena) Secure Session Management – User needs to enter password only 1 time Widely used by many systems Does not require public key cryptography and hash functions – Based on 80’s technology

20 Kerberos Protocol https://courses.cs.washington.edu/courses/csep590/06wi/lectures/slides/LaMacchia_012406.ppt

21 Password Management Users manage ID and password for each web site – Mostly same (easy) password and never change Each web site’s password policy is different – Infeasible to remember all the passwords if a user manages them differently – Password recovery questions are very stupid i.e) “Name of the city you born” for Monaco citizen Password management application is required – Do you trust your password manager?

22 Trend Micro Password Manager Google found vulnerability in Trend Micro Password Manager (01.2016) – Password manager itself is a privileged start up service – It is basically a web engine – Accepts JavaScript from the web sites!!! https://code.google.com/p/google-security-research/issues/detail?id=693 x = new XMLHttpRequest() x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/w indows/system32/calc.exe true); try { x.send(); } catch (e) {};

23 OpenID Decentralized single sign on(SSO) mechanism – User ID is a URI i.e) http://danwallach.comp427.eduhttp://danwallach.comp427.edu Any URI is possible – Web server asks the URI for authenticity User information does not goes to web sites There are extension APIs to transfer user information – Under user consent Open standard – 100+ Standard APIs – Nobody owns the mechanism – You can create your own OpenAPI server

24 OpenID Architecture http://designpatternschash.blogspot.com/2009_04_01_archive.html

25 OAuth Simple open standard for secure authentication – Log in part of website i.e) photos, mails, bookmarks, locations, … – Token based authentication Does not send ID and password to the web site – Open source, open API

26 OAuth Protocol Flow Client Resource Owner Authorization Server Resource Server Authorization Request Authorization Grant Access Token Protected Resource http://www.slideshare.net/rohitsghatol/oauth-20-simplified

27 Problems NASCAR Problem – User is overwhelmed by so many choices Usability – URI is not good to remember by human

28 2(n) Factor Authentication 3 different types of the password – Something you have – Something you know – Something you are 2 factor authentication is combining 2 types of password for authentication – Password + SMS token – Password + HW token – Password + finger print – … http://www.theverge.com/2014/10/21/7027267/google-launches-support-for-security-key-a-simpler-kind-of-two-factor

29 Question?

Download ppt "Web Login, Cookies 2015. 01. 26.. Web Login | Old way HTML"

Similar presentations

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google