OWASP A2:2017 Broken Authentication Vulnerability

slide1 n.w
1 / 31
Embed
Share

Learn about the OWASP A2:2017 Broken Authentication vulnerability, which allows attackers to compromise passwords, keys, or session tokens by exploiting incorrectly implemented authentication functions in web applications. Explore the risks associated with broken authentication and how to mitigate them effectively.

  • OWASP
  • Broken Authentication
  • Web Security
  • Cybersecurity
  • Vulnerabilities
rayaanacharya
yahm_77 Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. C1 2 1 - M A R - 2 5 CYBER THURSDAY CYBER THURSDAY BROKEN AUTHENTICATION WEEK

  2. TABLE OF CONTENTS 1. ABOUT CYBERSEC COE 2. OWASP OVERVIEW 3. A2:2017-BROKEN AUTHENTICATION 4. EXPLOITATION 5. INJECTION MITIGATION 6. QUIZ!!! 7. QUESTION?? 8. SENSITIVE DATA EXPOSURE (UPCOMING SESSION) CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 2

  3. 1 1 ABOUT US

  4. Highly technical skilled internal team ABOUT CYBERSEC COE Technical infrastructure (Acunetix, Burp Suite) on Cloud for assessment Renowned Cyber Security Vendors onboarded PWC, Synopsys, Paladion, Aujas etc. GSC Tech Assessment Vendor Tech Assured counter audit / retest post vulnerability fixes by BL Assessment 30-50% savings over Paris vendor Can be leveraged for regular / new product assessment, retest etc. Faster turn around time as compare to Paris vendors Service Offering Security Driven Secure Coding development lifecycle threat modelling, static testing, dynamic testing etc. Remediation Services Development Skills to support remediation for applications developed in different programming languages Java, .Net etc. CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 4

  5. 2 2 OWASP TOP 10

  6. ABOUT THE OPEN WEB APPLICATION SECURITY PROJECT(OWASP) OWASP is an open community dedicated to enabling organizations to promote security within applications. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP Top 10: The "Top Ten", first published in 2003, is regularly updated.It aims to raise awareness about application security by identifying some of the most critical risks facing organizations. OWASP Top 10 Application Security Risks 2017 identified following most critical and common vulnerabilities:- A1:2017-Injection A2:2017-Broken Authentication A3:2017-Sensitive Data Exposure A4:2017-XML External Entities (XXE) A5:2017-Broken Access Control A6:2017-Security Misconfiguration A7:2017-Cross-Site Scripting (XSS) A8:2017-Insecure Deserialization A9:2017-Using Components with Known Vulnerabilities A10:2017-Insufficient Logging&Monitoring https://en.wikipedia.org/wiki/OWASP, https://www.owasp.org/index.php/Top_10-2017_Top_10, CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 6

  7. 3 3 A2:2017-BROKEN AUTHENTICATION

  8. A2:2017-BROKEN AUTHENTICATION Broken Authentication can allow an attacker to either capture or bypass the authentication methods that are used by web application. OWASP defines Broken Authentication as: Application functions related to authentication are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens. Browser Server Post /user/login Body:{username, pwd} Session Stored in the Server Memory Send Cookies(Session ID) to Browser Send Authentication request with Cookies(Session ID) Check Cookies to get the User info from session Sends Response https://dzone.com/articles/broken-authentication-and-session-management-part CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 8

  9. ATTACK TYPES Attack type Dictionary Attack Attack description A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin . Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible.An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. Forced Browsing By Tampering few parameters during the authentication, some vulnerable application allows you to bypass the authentication process and opens the application completely. Insecure Direct Object Reference (IDOR) also type of parameter tampering attack which could lead attackers to access edit or delete any of other users objects by changing the values such as id , pid , uid . Parameter Tampering Guessable/week Session is one of the cause of this attack. If Session invalidation is not implemented upon logout and also if session IDs not changing post login(Session Fixation) also leads to various authentication attacks. Improper Session Management https://www.owasp.org/index.php/Forced_browsing ; https://searchsecurity.techtarget.com/definition/dictionary-attack CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 9

  10. CASE STUDY CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 10

  11. A2:2017-BROKEN AUTHENTICATION Dictionary Attack: CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 11

  12. A2:2017-BROKEN AUTHENTICATION Dictionary Attack: https://www.studytonight.com/servlet/registration-form-example-in-servlet.php CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 12

  13. A2:2017-BROKEN AUTHENTICATION Dictionary Attack: https://www.owasp.org/index.php/Command_injection_in_Java CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 13

  14. HANDS-ON ATTACK!!! CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 14

  15. A2:2017-BROKEN AUTHENTICATION Dictionary Attack: Mitigation Increase password complexity requirements, such as requiring special symbols, numbers, and/or uppercase letters. Set up password expiration for users accounts to 90 days. Temporarily blocking an IP that originated a high number of authentication errors in a brief period. All the default passwords should be changed of the application before going live. CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 15

  16. A2:2017-BROKEN AUTHENTICATION Forced Browsing: Implementing authentication mechanism to restrict access to application is not enough. If permissions of internal web pages have not been configured correctly, an attacker can circumvent authentication controls by requesting authenticated areas of the application directly, without providing valid credentials, or by requesting pages beyond the access level of the logged-in user. For example, a Web application may have admin users, normal users and basic users. Each of these users log in through the same page, but the menus and options they have access to may vary. If a user can discover or guess the name of a valid page, he or she can manually request access to that page by typing the URLdirectly into the address bar. This process is called Forced Browsing and helps to bypass the login restriction. CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 16

  17. A2:2017-BROKEN AUTHENTICATION Forced Browsing: User Base Restriction Roles Base Restriction https://services.teammentor.net/article/b760584a-1d34-4d5d-b6b4-87801285dd18 CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 17

  18. HANDS-ON ATTACK!!! CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 18

  19. A2:2017-BROKEN AUTHENTICATION Forced Browsing: Mitigation Proper Access Control & Authorization Policies :- Access should only be given to users commensurate with their privilege . Define the list of file types available for remote reading on the server. For example, .log, .dat and database files are not files that all users should have access to - except through secure channels. Remove all unnecessary files from web-accessible directories. That is, if files are unneeded within the directory, remove them, even though they may be secure. Use virtual directories for web access, separate secure directories data. https://www.veracode.com/security/failure-restrict-url-access CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 19

  20. A2:2017-BROKEN AUTHENTICATION Parameter Tampering: Parameter tamperingis a form of Web-based attack in which certainparametersin the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user's authorization. Attackers modifies the parameters from the URL, login form to get the information of other users or bypass the authentication mechanism. CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 20

  21. A2:2017-BROKEN AUTHENTICATION Parameter Tampering: https://www.studytonight.com/servlet/registration-form-example-in-servlet.php CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 21

  22. A2:2017-BROKEN AUTHENTICATION Parameter Tampering: https://www.owasp.org/index.php/Command_injection_in_Java CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 22

  23. HANDS-ON ATTACK!!! CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 23

  24. A2:2017-BROKEN AUTHENTICATION Parameter Tampering: Mitigation It is recommended to put a valid session token when client server interaction is happening and token should be validated at the server end. All sensitive information traversal should be done in POST method rather than GET i.e. Session ID, UID, PID etc. Proper input validation should be implemented both at the server and client end. CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 24

  25. 4 4 QUIZ TIME!!

  26. 5 5 QUESTIONS? Write to us @ list.gsc-cybersec@socgen.com

  27. 6 6 UPCOMING SESSION- BROKEN AUTHENTICATION AND ACCESS CONTROL

  28. 7 7 CONTACT US

  29. CONTACTS Organizational Structure & Escalation Ladder Tittle: CyberSec COE Head Name: Rajesh Bhasin Email: Rajesh.Bhasin@socgen.com Title: Cyber Security Architect Name: Bharath Srinivasan Email: Bharath.Srinivasan@socgen.com Title: CyberSec Analysts Email: list.gsc-cybersec@socgen.com BSC Allies Title: CyberSec Specialists Name/s: Abhishek SURESH BABU & Vinitha RAVINDRAN Emails: abhishek.suresh-babu@socgen.com;vinitha.ravindran@socgen.com CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 29

  30. STAY TUNED TO OUR JIVE GROUP https://sbc.safe.socgen/groups/cyber-security-center-of-excellence-coe CYBER THURSDAY: BROKEN AUTHENTICATION WEEK C1 05/16/2019 30

Related


Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal

Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal

torquil
Guide to Setting Up EU Login and Two-Factor Authentication

Guide to Setting Up EU Login and Two-Factor Authentication

wolfgang
Two-Step Authentication Implementation for Enhanced Security

Two-Step Authentication Implementation for Enhanced Security

lumina
Implementing 2FA for UW Azure AD: Best Practices and Options

Implementing 2FA for UW Azure AD: Best Practices and Options

adlai
Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

Security and Authentication in Electronic Filing Systems: Arkansas Subcommittee Report

harri
Salinity in Seawater: Density, Composition, and Variations

Salinity in Seawater: Density, Composition, and Variations

kyliann
DAVA Drugs Authentication & Verification Application by National Informatics Centre

DAVA Drugs Authentication & Verification Application by National Informatics Centre

ruxt_322
Setting Up Two-Factor Authentication for HRMS Access

Setting Up Two-Factor Authentication for HRMS Access

japp320
Setting Up Multi-Factor Authentication at Moraine Park

Setting Up Multi-Factor Authentication at Moraine Park

leid_3
Authentication Mechanisms and Security Vulnerabilities

Authentication Mechanisms and Security Vulnerabilities

lev_tre
An Open-Source SPDM Implementation for Secure Device Communication

An Open-Source SPDM Implementation for Secure Device Communication

eley395
Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS

Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS

anna_ght
Broken Plural in Arabic Grammar

Broken Plural in Arabic Grammar

addington_l
Evolution of User Authentication Practices: Moving Beyond IP Filtering

Evolution of User Authentication Practices: Moving Beyond IP Filtering

rin_fi
Kerberos Authentication in Network Security

Kerberos Authentication in Network Security

pcapp
Secure Authentication Using ISO 15693 RFID Tags

Secure Authentication Using ISO 15693 RFID Tags

rtrez
Uncovering Flaws in Authentication Solutions: A Privacy Concern

Uncovering Flaws in Authentication Solutions: A Privacy Concern

guru_4
Authentication and Authorization in Information Assurance

Authentication and Authorization in Information Assurance

zam_nus
Session Management Challenges in Web Applications

Session Management Challenges in Web Applications

yahm_77
ASP.NET Web API Security and Authentication Overview

ASP.NET Web API Security and Authentication Overview

dray_514
Modular Security Analysis for Key Exchange and Authentication Protocols

Modular Security Analysis for Key Exchange and Authentication Protocols

area290
Authentication and Message Authentication in Network Security

Authentication and Message Authentication in Network Security

lein_aye

More Related Content