How to Build a Secure Login. Ben Broussard Kedalion Security

Similar documents
Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Criteria for web application security check. Version

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Cyber Security Workshop Ethical Web Hacking

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Introduction Les failles les plus courantes Les injections SQL. Failles Web. Maxime Arthaud. net7. Jeudi 03 avril 2014.

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Hack Yourself First. Troy troyhunt.com

Web application security

HTTP Response Splitting

Web Security: SSL/TLS

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

(WAPT) Web Application Penetration Testing

HTTP Protocol. Bartosz Walter

Secure development and the SDLC. Presented By Jerry

Next Generation Clickjacking

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Hacking cookies in modern web applications and browsers

ivoyeur: permission to parse

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Lecture 11 Web Application Security (part 1)

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

AccountView. Single Sign-On Guide

CloudOYE CDN USER MANUAL

Module 45 (More Web Hacking)

Web Security Testing Cookbook*

Web Application Security

SAP: Session (Fixation) Attacks and Protections

Certified Secure Web Application Security Test Checklist

Dissecting CSRF Attacks & Defenses. Mike Shema October 16, 2013

SANS Institute 200 5, Author retains full rights.

Statistics Whitepaper

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Twinfield Single Sign On

APPLICATION SECURITY AND ITS IMPORTANCE

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

Hypertext for Hyper Techs

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

JASPERREPORTS SERVER WEB SERVICES GUIDE

Introduction to Computer Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Akita International University Online Application System. Usage Manual

Using SAML for Single Sign-On in the SOA Software Platform

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Cookies and Sessions Maintaining State in HTTP. High Level Summary

Sticky Session Setup and Troubleshooting

Network Technologies

The Hyper-Text Transfer Protocol (HTTP)

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

EECS 398 Project 2: Classic Web Vulnerabilities

elearning for Secure Application Development

Configuring Single Sign-on for WebVPN

An Insight into Cookie Security

Portal Recipient Guide

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

Web Security: Vulnerabilities & Attacks

Chapter 1 Web Application (In)security 1

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Web Application Firewall on SonicWALL SSL VPN

Testing the OWASP Top 10 Security Issues

Enterprise Application Security Workshop Series

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

sessionx Desarrollo de Aplicaciones en Red Web Applications History (1) Content History (2) History (3)

Web Application Security

Web Application Firewall on SonicWALL SRA

List of Scanner Features (3 of 3)

Greater Than One. Defeating strong authentication in web applications. - Brendan O Connor

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Playing with Web Application Firewalls

Ruby on Rails Security. Jonathan Weiss, Peritor Wissensmanagement GmbH

HTTP Caching & Cache-Busting for Content Publishers

Defending against XSS,CSRF, and Clickjacking David Bishop

Using Foundstone CookieDigger to Analyze Web Session Management

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

A Tale of the Weaknesses of Current Client-side XSS Filtering

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Hack Proof Your Webapps

The Top Web Application Attacks: Are you vulnerable?

Application Security Testing. Generic Test Strategy

Web Authentication Application Note

Ethical Hacking as a Professional Penetration Testing Technique

Check list for web developers

Internet Technologies Internet Protocols and Services

Web Application Guidelines

Web Application Security

Security Testing with Selenium

Abusing the Internet of Things. BLACKOUTS. FREAKOUTS. AND

Gateway Apps - Security Summary SECURITY SUMMARY

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Web Based Single Sign-On and Access Control

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

HP WebInspect Tutorial

Chapter 5 Configuring the Remote Access Web Portal

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Hack Yourself First. Troy troyhunt.com

Department of Computing Imperial College London. BrowserAudit. A web application that tests the security of browser implementations

Transcription:

How to Build a Secure Login Ben Broussard Kedalion Security

Contents How Authentication works Pre-Login Login Page Login Redirect Logged In Log Out Attacks and defenses on each step

Pre-Login Pre-Login Login Page Login Redirect Logged In Log Out Users get to the site in many ways: Search engine, Bookmarks, Links from emails, Direct URL entry, iframes from other sites. Request/Response model. Users shouldn't be able to complete most actions before logging in, but they may be able to begin actions such as adding items to a cart or setting up a session. Account Creation Password Reset

REQUEST GET / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; U; Lin... Accept: text/html,application/xhtml+xml,applica... Keep-Alive: 115 HTTP/1.1 200 OK Date: Fri, 29 Apr 2011 17:12:13 GMT Set-Cookie: skin=noskin; path=/; domain=.example.com; expires=fri, 29-Apr- 2011 17:12:13 GMT Content-Type: text/html; charset=iso-8859-1 Set-cookie: session-id=176-9381406-6210335; path=/; domain=.example.com; expires=tue Jan 01 08:00:01 2036 GMT Content-Length: 156046 <html>... web page RESPONSE

Login Page Pre-Login Login Page Login Redirect Logged In Log Out Users can get to the login page by: o Clicking on the login link on the site or from an email or another site. o Attempting to go to a logged in page without being logged in. o Making a request to a logged in page after the session has expired. The login page needs to know where to send the user after successful login. Input can include a username, password, pre-login cookie, anti-csrf token, CAPTCHA, and even a second factor such as an RSA token.

Clicked on Login link Redirected to Login HTTP/1.1 302 Found Location: https://example.com/login/

1. Request to Logged in Page: GET mail/inbox.php?email_id=11&action=mark_as_read HTTP/1.1 2. 302 Response containing Set-cookie: go_to=/mail/inbox.php?email_id=11&action=mark_as_read Location: https://example.com/login.php 3. Request to https://example.com/login.php 4. Response containing Login page: HTTP/1.1 200 OK... Other Headers <html>... Login Form 5. Request containing credentials: POST /login.php HTTP/1.1 Host: example.com Cookie: anonymous_session_id=ff5f109f765de12d3a83ce578e9d44ef; go_to=/mail /inbox.php?email_id=11&action=mark_as_read username=ben&password=myrealpassword&csrf_token=6108d48838...

Login Redirect Pre-Login Login Page Login Redirect Logged In Log Out Upon successful verification of the user's credentials, a redirection response which contains a Set-Cookie header is returned. o Usually an HTTP 302 Found response with a Location header. o Sometimes a webpage is returned which includes a javascript or meta tag redirect. This new cookie is the logged in session cookie.

1. Response from successful login: HTTP/1.1 302 Found Set-Cookie: session_id=617372ea63040f780b16dd992122e170; path=/; secure; HttpOnly Location: https://example.com/mail/inbox.php?email_id=11&action=mark_as_read 2. Request to Location value: GET /mail/inbox.php?email_id=11&action=mark_as_read HTTP/1.1 Host: example.com Cookie: session_id=617372ea63040f780b16dd992122e170 3. Response containing logged in page: HTTP/1.1 200 OK... Other Headers <html>... Logged in Page

Logged In Pre-Login Login Page Login Redirect Logged In Log Out Now that the user is logged in, they can take sensitive actions and look at sensitive data. The user stays logged in because the browser adds the Cookie header to every request (with the appropriate domain, path, flags, etc.). Often users have to fill out long forms that take longer than the inactivity logout period. Users may have multiple tabs open which makes it difficult to impose an order on their actions.

REQUEST POST /payroll/directdeposit.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-us; rv:1.9.2.16) Gecko/20110323 Ubuntu/10.04 (lucid) Firefox/3.6.16 Cookie: session_id=617372ea63040f780b16dd992122e170 routing_nbr=111111111&acct_nbr=123412341234&csrf_token=c1446f6da1664 50281c91108551ae9b6 HTTP/1.1 200 OK Pragma: no-cache Content-Length: 2150 Keep-Alive: timeout=15, max=100 Content-Type: text/html; charset=iso-8859-1 <html>... web page RESPONSE

Log Out Pre-Login Login Page Login Redirect Logged In Log Out How do users log out: o They click on the logout link. o Their session expires due to inactivity or absolute timeout. o They complete an action. o They navigate to a non-logged-in section of the site. If the user's session didn't expire, they get a response which contains a Set- Cookie header that expires the logged in cookie and then redirects the user. Otherwise they get redirected to the login page.

Logged out due to inactivity Clicked on Logout Link

Attacks! The fun stuff.

Attack Goals Bypass Login Login as another user Force logged in users to take actions Get logged in users' information Affect pre-login actions that affect logged in actions Get users to login to a known session or account Get valid usernames Get valid user passwords Get valid user email addresses Lockout users

Pre-Login Pre-Login Login Page Login Redirect Logged In Log Out SQL Injection - same database XSS as a Social Engineering vector Carry over attacks: o Cookie attacks: XSS, lack of SSL, Header Injection, token prediction o Session via URL token (no cookies) o CSRF and Clickjacking User Enumeration: o Password Reset o Account Creation o Login Form Inadequate SSL Coverage Combination XSS with CSRF to the logged in section to get sensitive data.

Login Page Pre-Login Login Page Login Redirect Logged In Log Out SQL Injection to bypass verification XSS as a key logger User Enumeration Password Bruteforcing SQL Injection for password gathering Login CSRF o Contests o Stored data o I was framed! Inadequate SSL Account Lockout

Login Redirect Pre-Login Login Page Login Redirect Logged In Log Out Header Injection: Location header Session Fixation Predictable session token Forced redirection o Off site (Referer header) o CSRF Gotta have the SSL Javascript or meta tag redirect XSS

Logged In Pre-Login Login Page Login Redirect Logged In Log Out XSS framework for full control (BeEF) XSS for session token capture SQL Injection via CSRF CSRF and Clickjacking Inadequate SSL coverage Authentication bypass Disclosure of URL parameters (Referer) AJAX hijacking Force Logout

Log Out Pre-Login Login Page Login Redirect Logged In Log Out Forced redirection Header injection: Location Session reuse / Inadequate log out CSRF logout

Conclusions Login and Authentication can't be easily segregated from the applications that use it. Pre-Login, subdomains, parent domains, and sister domains all can affect the Login and Authentication functionality. Pre-Login must either have no session or be under SSL. User enumeration protection applies to the Login page as well as Account Creation and Password Reset. XSS and SQL Injection are pretty much Game Over. Stopping bruteforcing of passwords is difficult, so make the passwords difficult to bruteforce. Password Rules. Javascript redirects can lead to DOM based XSS. Update the session cookie during the redirection step. Use Cryptography for security related tokens.

Conclusions (cont.) Watch what goes into the URL. This can get sent off-site in the Referer HTTP header. Force users to use cookies. There's no excuse anymore. A framework or systematic approach should be taken for Authentication, HTML output, SQL, and CSRF protection. AJAX may require CSRF protection for GET requests, too. Expiring a session cookie is not a sufficient logout procedure.

Questions? ben@kedalion-security.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information