attacking session management
play

Attacking Session Management Professor Larry Heimann Web Application - PowerPoint PPT Presentation

Nov 15, 2022 •104 likes •238 views

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF & Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

  1. Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

  2. Lab 3 Review on CSRF & Path Traversal Hacker Wall of Fame (Lab 3 members in italics) • Jacob Buckheit (2x) • Jenny Zhu • Ti ff any Chen • Judy Zhang (2x) • Rachel Kim • Stephanie Pang • David Zhang • Jeremy Xue • Andy Gao • Vrinda Gupta • Ryan Ho ff man • Bo Tembunkiart • Anusha Venkatesan

  3. Session basics • HTTP is inherently stateless • Need for sessions • How data is saved, accessed Session ID is the key to matching session data with a particular user

  4. Session IDs and entropy • Many languages like PHP or frameworks like Rails automatically generate session IDs for you • May choose to customize session IDs for a variety of reasons • If an attacker gets access to session ID or can brute force a session ID, major trouble will follow • Measure the security of session IDs with concept of entropy; essentially a measure of randomness

  5. Attacking a session • Decode the session and retrieve information • Brute force a session token and be able to piggyback on an active session • Feed the victim an active, unauthenticated session and then access application after the user authenticates • Capture the user’s current session by getting the session token and using it to join the active session

  6. Session fixation

  7. Samy is my hero.

  8. Securing sessions Generate strong tokens • Any finite item can in principle be guessed given su ffi cient time and resources. • Objective of generating robust tokens is to make a successful prediction attack extremely unlikely during the lifespan of any given token. • Most web application platforms contain built-in session handling mechanisms that are tried-and-tested. • If you create your own tokens, use strong sources for random numbers (e.g. java.security.SecureRandom, not java.util.Random), and use recognized crypto libraries such as SHA1

  9. Securing sessions Protect tokens throughout their lifecycle • Tokens should only be transmitted over HTTPS – set the “secure” flag if HTTP cookies are used. • Tokens should not be transmitted in the URL – using a hidden field in a form that uses the POST method is preferred (but still not ideal). • Logout functionality should be implemented that destroys the session completely. • Session expiry should be implemented on the server side. • Concurrent logins should be prevented. After a successful login, existing sessions for the same user should be expired. • Brute force attempts can be detected and IP addresses blocked.

  10. Securing sessions Protect tokens throughout their lifecycle • The HttpOnly flag can be set to prevent client-side scripts from trivially accessing HTTP cookies (to prevent some XSS attack payloads). • When a user transitions to a higher trust level, they should be issued with a fresh token, to stop session fixation attacks. • Unrecognized tokens should be rejected, and a fresh valid token issued instead. • Secondary authentication can be used to protect critical actions. • Per-page tokens can be implemented to limit opportunities for session hijacking, even if other flaws exist.

  11. Comic of the Day...

  12. Samy is my hero.

  13. Next Class: Class Demonstrations

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R

Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R

Attacking Multicast Group Key Management Protocols Graham Steel and Alan Bundy I V N E U R S E I H T Y T O H F G R E U D B I N 1 Multicast Key Management Protocols Aim: To maintain a secure key for multicast within a

164 views • 15 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State University of New York) Joint with Seth Chaiken and Christopher R.H. Hanusa Outline 1. Chess Problems: Non-Attacking Pieces 2. Largely Czech

608 views • 17 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
Management 1 Session Objective By the end of the session, participants will discuss the

Management 1 Session Objective By the end of the session, participants will discuss the

DFS Risk and Fraud Management 1 Session Objective By the end of the session, participants will discuss the potential provider and consumer risks in digital finance and learn how to manage those risks having full awareness of the issues that

882 views • 45 slides
Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY Introduction. Audience analysis. The basics Property Insurance Subrogation ATTACKING AND SUPPORTING SUBROGATION DAMAGES IN

371 views • 19 slides
No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems

675 views • 18 slides
Section 6: Session Management, Lab 2, & Clickjacking CSE 484 / CSE M 584 Homework 2 Due @

Section 6: Session Management, Lab 2, & Clickjacking CSE 484 / CSE M 584 Homework 2 Due @

Section 6: Session Management, Lab 2, & Clickjacking CSE 484 / CSE M 584 Homework 2 Due @ 11:59pm Lab 2 Due @ 11:59pm May 8 May 22 Administrivia May 15 Final Project Checkpoint 1 Due Web Session Management Primitive Online

649 views • 35 slides
Attacking the Attacking the User- -Machine Machine User Interface Interface A speach

Attacking the Attacking the User- -Machine Machine User Interface Interface A speach

Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club

455 views • 16 slides
Joe Alber Rotary Club of Buffalo 716-834-6560 antonealber@gmail.com My Goals for this Session

Joe Alber Rotary Club of Buffalo 716-834-6560 antonealber@gmail.com My Goals for this Session

Joe Alber Rotary Club of Buffalo 716-834-6560 antonealber@gmail.com My Goals for this Session Discuss methods for uncovering why members quit and the tools for attacking the problem. Overview Why Rotarians Join Our Club Why

464 views • 23 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
A 14907 - Strategic Management Accoun6ng (2018-2019) Session 12 Strategic Management Accoun6ng

A 14907 - Strategic Management Accoun6ng (2018-2019) Session 12 Strategic Management Accoun6ng

A 14907 - Strategic Management Accoun6ng (2018-2019) Session 12 Strategic Management Accoun6ng Review Session Paul G. Smith B.A., F.C.A OVERALL OBJECTIVES A 14907 Strategic Management Accoun6ng 3 Course Objec6ves Students will learn to

559 views • 24 slides
COMPOSER THERE'S A MODULE (OR LIBRARY) FOR THAT! Presented by Rob Loach and Larry Garfield

COMPOSER THERE'S A MODULE (OR LIBRARY) FOR THAT! Presented by Rob Loach and Larry Garfield

COMPOSER THERE'S A MODULE (OR LIBRARY) FOR THAT! Presented by Rob Loach and Larry Garfield DEPENDENCY MANAGEMENT SUCKS PHP SUCKS AT SHARING How do I get a 3rd party library? How do I load its code? Does it depend on anything? Where do I

527 views • 51 slides
Tutorials, post-processing and parallelization C. Fernandes, L.L. Ferrs, J.M. Nbrega

Tutorials, post-processing and parallelization C. Fernandes, L.L. Ferrs, J.M. Nbrega

Tutorials, post-processing and parallelization C. Fernandes, L.L. Ferrs, J.M. Nbrega Institute for Polymers and Composites (i3N), University of Minho Unin Europea FEDER 0682_CLOUDPYME2_1_E Invertimos en su futuro El proyecto

599 views • 35 slides
Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu

Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu

Outline Introduction The chtMultiRegionFoam solver Loop modification Test the new solver Pressure coupled B.C. Summary and Implementation of multiple deltaTs for the multi-region solver based on chtMultiRegionFoam Yuzhu Pearl Li Department

757 views • 38 slides
Modeling of bed roughness using a geometry function and forcing terms in the momentum equations

Modeling of bed roughness using a geometry function and forcing terms in the momentum equations

Introduction Solver set-up Case set-up Post-Processing Modeling of bed roughness using a geometry function and forcing terms in the momentum equations Jonatan Margalit A project work in the course CFD with OpenSource software, taught by H

594 views • 28 slides
A Slim 3 Primer Rob Allen ~ @akrabat May 2015 The C in MVC Slim 3 Created by Josh Lockhart

A Slim 3 Primer Rob Allen ~ @akrabat May 2015 The C in MVC Slim 3 Created by Josh Lockhart

A Slim 3 Primer Rob Allen ~ @akrabat May 2015 The C in MVC Slim 3 Created by Josh Lockhart (phptherightway.com) PSR-7 Request and Response objects Middleware architecture Built in DIC for configuration Expecting first beta

784 views • 30 slides
Spotting fakes, forgeries and misattributions: Game of Luck or Question of Skill? Noor Kadhim

Spotting fakes, forgeries and misattributions: Game of Luck or Question of Skill? Noor Kadhim

Spotting fakes, forgeries and misattributions: Game of Luck or Question of Skill? Noor Kadhim Gardner Leader When you assume you make an ass of u and me Which of these is authentic? Losing ones Witts Devil in the detail Its all

441 views • 15 slides
A Timing Model for Synchronous Language Implementations in Simulink Timothy Bourke and Arcot

A Timing Model for Synchronous Language Implementations in Simulink Timothy Bourke and Arcot

1 A Timing Model for Synchronous Language Implementations in Simulink Timothy Bourke and Arcot Sowmya School of Computer Science and Engineering University of New South Wales, Sydney and National ICT Australia tbourke@cse.unsw.edu.au

773 views • 36 slides
Architecture Comparison for Concurrent Multi-Band Linear Power Amplifiers Zhen Zhang, Yifei Li,

Architecture Comparison for Concurrent Multi-Band Linear Power Amplifiers Zhen Zhang, Yifei Li,

Architecture Comparison for Concurrent Multi-Band Linear Power Amplifiers Zhen Zhang, Yifei Li, and Nathan M. Neihart Iowa State University MWSCAS 2015 Fort Collins, CO Outline Motivation Theoretical Comparisons Efficiency

197 views • 19 slides

More recommend