HACKING AUTHENTICATION CHECKS IN WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN

Similar documents
Magento Security and Vulnerabilities. Roman Stepanov

Where every interaction matters.

Using Foundstone CookieDigger to Analyze Web Session Management

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Security API Cookbook

Adobe Systems Incorporated

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Essential IT Security Testing

Recommended readings. Lecture 11 - Securing Web. Applications. Security. Declarative Security

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Criteria for web application security check. Version

Overview of the Penetration Test Implementation and Service. Peter Kanters

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Check list for web developers

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Testing the OWASP Top 10 Security Issues

The Top Web Application Attacks: Are you vulnerable?

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

OWASP Top Ten Tools and Tactics

Ruby on Rails Secure Coding Recommendations

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web Authentication Application Note

05.0 Application Development

Analysis of SQL injection prevention using a proxy server

Secure development and the SDLC. Presented By Jerry

Bitrix Site Manager ASP.NET. Installation Guide

Chapter 1 Web Application (In)security 1

Web Application Penetration Testing

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Reducing Application Vulnerabilities by Security Engineering

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Passing PCI Compliance How to Address the Application Security Mandates

Application Security Vulnerabilities, Mitigation, and Consequences

An Introduction to Application Security in J2EE Environments

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Ethical Hacking as a Professional Penetration Testing Technique

HTTPParameter Pollution. ChrysostomosDaniel

Integrating Security Testing into Quality Control

How To Fix A Web Application Security Vulnerability

THE OPEN UNIVERSITY OF TANZANIA

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Penetration Testing in Romania

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Rational AppScan & Ounce Products

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

A brief on Two-Factor Authentication

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Multi Factor Authentication API

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

OAuth: Where are we going?

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Vulnerability Detection and Security Mechanism

Secure Programming Lecture 12: Web Application Security III

Swivel Multi-factor Authentication

Configuring Claims Based FBA with Active Directory store 1

Project 2: Web Security Pitfalls

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

How To Set Up The Barclaycard Epdq Cardholder Payment Interface (Cpi) On Papercut (Barclay Card) On A Microsoft Card (For A Credit Card) With A Creditcard (For An Account)

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

8070.S000 Application Security

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Security features of ZK Framework

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Application Security

Secure Web Applications. The front line defense

Web Application Firewall Policy File Specification

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Accessing the Media General SSL VPN

Potential Targets - Field Devices

Custom Error Pages in ASP.NET Prabhu Sunderaraman

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Copyright: WhosOnLocation Limited

Developing ASP.NET MVC 4 Web Applications MOC 20486

Web Plus Security Features and Recommendations

ASP.NET Forms Authentication Best Practices for Software Developers

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Defending against XSS,CSRF, and Clickjacking David Bishop

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

The Risks of Cloud Storage

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Enhanced Security for Online Banking

Talk Internet User Guides Controlgate Administrative User Guide

Department Service Integration with e-pramaan

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Web Application Security

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

(WAPT) Web Application Penetration Testing

Transcription:

HACKING AUTHENTICATION CHECKS IN WEB APPLICATIONS ASHISH RAO & SIDDHARTH ANBALAHAN

About Ashish 4 years of IT Security Experience Security Consultant and Researcher Application and Code Security Practice Expertise in performing Security Design reviews and Security Code Reviews Developed Code Review Checklists and Automation scripts for many platforms Conducted Trainings on Secure Development of Web and Mobile applications for different platforms http://artechtalks.blogspot.in/

10 years of IT industry experience 6 years information security experience Senior Security Consultant Application Security Testing Practice Co-Author of the book Application Security in ISO 27001 Environment. About Siddharth

INDEX Hacking Authentication Checks in Web Applications Hacking Application Designs Hacking J2EE Container Managed Authentication Hacking Control Flow in J2EE Hacking Insecure POSTBACK implementation in.net

HACKING APPLICATION DESIGNS

Hacking Application Designs Applications usually designed using MVC A model- view - controller technique There is logical segregation of code Components interact with each other in sequence Request Central Controller Business Logic View Logic Response

Hacking Application Designs If we have to implement an authentication check in this sequence where would we place it? Request Central Controller Business Logic View Logic Response 7

Hacking Application Designs Most developers place it here Only for the views Request Central Controller Business Logic C h e c k View Logic Response Assumption: Forms and Pages presented as views in the application will be accessed first. These forms or pages are the only way to send form submissions or internal requests for changing data. 8

Lets see what goes wrong Unauthenticated Request ERROR PAGE Central Controller Business Logic Auth Check View Logic Is not rendered INCORRECT PLACEMENT Request gets processed here!!! Task Achieved by the attacker 9

Hacking Application Designs DEMO Unauthorized access due to incorrect placement of checks 10

Hacking Application Designs Security Measures: Place all validation checks before request processing logic Central Controller Business Logic View Rendering Logic Correct Placement 11

HACKING J2EE CONTAINER MANAGED AUTHENTICATION

Container Managed Authentication Flaw J2EE Contained Managed Authentication Configuration of security-constraints in deployment descriptor web.xml Responsible for blocking unauthenticated access to internal resources An attack similar to CSRF can be performed by a remote hacker to bypass authentication 13

Container Managed Authentication Flow Typical Flow of Container Managed Authentication User Web Server Server Maintains a Copy of the Previous request in Session Authentication Process of the Container Internal Request Page saved in session 14

What is the flaw? The Catch? Server Maintains a Copy of the Previous request in Session Once the user is authenticated the server process the request previously stored An attacker can send any POST request for an internal action via a CSRF technique, when an unsuspecting victim logs in, the internal action will get processed. 15

DEMO Hacking J2EE Container Managed Authentication

Similarity with CSRF: The only requirement is that the user must login after the malicious unintended request has been sent to the server using the same browser Local Attack: A local attacker may forge a request from victim s browser, and keep the login page open. When the victim logs in, the malicious request will get executed

Security Measures: All requests that result in change of data, transactions, should be accompanied with a token Token should unique for each user session Token should be random making it difficult to guess Should be always validated at the server

HACKING CONTROL FLOW IN J2EE

Control Flow Flaws Does this code look safe to you? String username = session.getattribute( user ); if (username == null) { response.sendredirect( Access Denied Page ); }. Business Logic Processing 20

Control Flow Flaws But what is wrong in it? String username = session.getattribute( user ); if (username == null) { response.sendredirect( Unauthorized Page ); }. Business Logic Processing

Control Flow Flaws I am checking for an authenticated session And I am then redirecting unauthenticated user String username = session.getattribute( user ); if (username == null) { response.sendredirect( Access Denied Page ); }. Business Logic Processing

Control Flow Flaws Have you ever wondered, what if the execution do not stop here? String username = session.getattribute( user ); if (username == null) { response.sendredirect( Access Denied Page ); }. Business Logic Processing 23

Control Flow Flaws Business logic would get executed even for unauthenticated request. String username = session.getattribute( user ); if (username == null) { response.sendredirect( Access Denied Page ); }. Business Logic Processing In reality this is not protected 24

Control Flow Flaws The execution flow does not stop after the response.sendredirect call Entire page is processed and then the user is redirected to error page Thus, the business logic remains unprotected

DEMO Unauthorized access due to control flow flaw

Security Measures: Terminate the execution flow after redirection call. String username = session.getattribute( user ); if (username == null) { response.sendredirect( Access Denied Page ); return; }. Business Logic Processing

HACKING INSECURE POSTBACK AUTHENTICATION IN.NET

INSECURE POST-BACK POSTBACK POSTBACK in ASP.NET is an event that occurs whenever an action is performed by a control in the ASP.NET page ISPOSTBACK? Property of ASP.NET Page that allows developers to check if page is called or refreshed as a result of a control event OR called for the first time

INSECURE POST-BACK Mixing authentication check and ISPOSTBACK protected void Page_Load(object sender, EventArgs e) { If (!IsPostBack) { lbltitle.text = Create Employee s If (!Request.IsAuthenticated) { Response.Redirect( ~/Error.aspx ); } } }

INSECURE POST-BACK Assumption: A form will be accessed by an authenticated user first time only by clicking on a link that displays the form An attacker can send a POST request for creating a new employee. The IsPostBack condition will fail and therefore will not invoke the authentication check

INSECURE POST-BACK DEMO Hacking insecure POSTBACK based authentication check in ASP.NET

INSECURE POST-BACK Security Measures: IsPostBack property check should be independent of the authentication check. protected void Page_Load(object sender, EventArgs e) { If (!IsPostBack) { lbltitle.text = Create Employee } If (!Request.IsAuthenticated) { Response.Redirect( ~/Error.aspx ); }

Closing Notes Authentication flaws can be avoided by placing careful consideration to design and the way applications behave Is the placement of authentication check correct? Is it secure your processing logic? Is there a control flow behavior that you need to test?

35 Questions

Blogs and Reference http://artechtalks.blogspot.in/2013/02/j2eecontainer-managed-authentication.html http://artechtalks.blogspot.in/2013/02/insecurepostback-based-authentication.html http://packetstormsecurity.com/files/119129/insecu re-authentication-control-in-j2ee.html -- Watch out this space for more blogs

Thank You & Share your feedback with us. rao.ashish20@gmail.com AND sidhanbu@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information