SLIDE 1
Section 7: Lab 2 & Authentication
CSE 484 / CSE M 584
Administrivia
Final Project Checkpoint 1 Due @ 11:59pm
May 15th
Lab 2 Due @ 11:59pm
May 22nd
Memorial Day: No Lecture
May 25th
Homework 3 Due @ 11:59pm
May 29th
Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 - - PowerPoint PPT Presentation
Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 - - PowerPoint PPT Presentation
Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 Administrivia May 15 th May 25 th Final Project Checkpoint 1 Due @ Memorial Day: No Lecture 11:59pm Lab 2 Due @ 11:59pm Homework 3 Due @ 11:59pm May 22 nd May 29 th More Lab 2 Hints
SLIDE 2
SLIDE 3
More Lab 2 Hints
SLIDE 4
Lab 2 Hints: Web Requests
There are usually multiple ways to do the XSS exploits!
- Example: In Problem 1, window.open may fail because of popup
blocking
- What other JavaScript APIs or HTML elements can cause a web
request from a page?
SLIDE 5
There are different ways to run JS on a page:
Inline JS
(event handlers as strings inside HTML tags, <script> tags with embedded JS)
External JS files
(attached <script> with src in HTML <head> or <body>)
Extensions
(not in Lab 2, but becoming very popular for web users)
From the console
(mostly for testing, doesn’t save state on page refresh) You don’t need to know all of them for Lab 2, but you will need to use different approaches for different filters!
SLIDE 6
Lab 2 Hints: Executing JS
Mixing HTML, JavaScript and URLs… which syntax are you using?
<script> alert('hi'); </script> <body onload="alert('hi');"></body> <iframe src="example.com/?id=<script>alert('hi');</script>"/>
HTML JavaScript For event handler attributes, the value is interpreted as JavaScript code and inserted into a function:
> console.log(myImg.onload.toString()); "function onload(e) { alert('hi'); }"
This is a URL which means it must be URL encoded This is JS embedded in a URL Because the URL is loaded in an iframe, the code will be executed in the context of the page within the iframe (if it has an XSS vulnerability) Will this iframe execute the script? Which language’s escape characters do we need to use?
SLIDE 7
Lab 2 Hints: Encoding Schemes
Text can be encoded in different forms on web pages. Why do you think this is useful? See XSS Intro resource for a great overview of different schemes
SLIDE 8
Lab 2 Hints: SQL
Recall that SQL is a language used to manage and query databases Each database contains tables of data. The SELECT keyword is used to query tables and retrieve data. What can possibly go wrong? CREATE TABLE students ( id int, name varchar(255) ); INSERT INTO students VALUES (1, 'Sam Wolfson'); SELECT * FROM students WHERE id = 1; DELETE FROM students WHERE id = 1; OR 1 = 1; -- ;
SLIDE 9
Authentication
SLIDE 10
Improving (?) Passwords
- For example, keystroke dynamics or voiceprint
Add biometrics
- Goal: easier to remember? no need to write down?
Graphical passwords
- Examples: LastPass, KeePass, etc. (built into
browsers)
- Can have security vulnerabilities…
Password managers
- Leverage phone (or other device for authentication)
Two-factor authentication
SLIDE 11
Password Manager Vulnerabilities
Automatic autofill (a feature
- f many password
managers) is convenient, but hard to make secure Subject to sweep attacks: stealing multiple passwords without user interaction
https://www.usenix.org/node/184476
SLIDE 12
Redirect Sweep Attack Demo
https://www.youtube.com/watch?v=qiiSuIE79No
SLIDE 13
Defenses Against Sweep Attacks
Manual autofill (as secure as manual entry)
- Don’t let JavaScript read autofilled passwords
- Site must submit form using HTTPS
- Let form submit only if action matches action when
password was saved Secure filling (more secure than manual entry)
SLIDE 14
Two-factor Authentication
To log in, you need to provide your credentials, and something else Examples of 2nd factors:
- Security questions
- Text, phone call, or email with temporary code
- Software or physical temporary code generator
- USB security key
SLIDE 15
2FA Poll!
Poll: have you turned on 2-factor authentication for any of your accounts?
A: Yes, whenever the option is available. B: Yes, if the website directly asks me to do so. C: Yes, but only for important accounts. D: Yes, but only when I’m forced to. E: No. Vote at: https://pollev.com/wolfson
SLIDE 16
Software-Based 2FA
SLIDE 17
Hardware-Based 2FA
- USB authentication devices
- Private key is stored on the security key, public key is
stored by the website
- Challenge response protocol: website sends a challenge
(a string), security key signs it with the private key, website verifies the signature with the public key
- More secure than temporary codes: one private key per
account, only signs the challenge if it’s on the correct domain (Codes can be phished!)
SLIDE 18
Security Keys Aren’t Perfect…
Hardware/firmware bugs can compromise its security In theory: supply chain attacks - introduce backdoor vulnerabilities in the factory/in transit
SLIDE 19
Secondary Factors Do Help!
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
SLIDE 20
Could We Replace Passwords?
Passwords have many weaknesses
- Phishing, brute force guessing, password database dumps, password reuse, etc.
Do better systems exist? What other authentication heuristics do we have? Any replacement would ideally be better than passwords in the areas of:
- Usability: easy-to-learn, efficient-to-use, web compatible
- Deployment: accessible, negligible cost
- Security: resilient to phishing, resilient to theft, hard to observe/imitate
SLIDE 21
Graphical Passwords
Many variants… One example: Passfaces
- Assumption: easy to recall faces
Problem: to make passwords easy to remember, users choose predictable faces
SLIDE 22
Graphical Passwords
Another variant: draw on the image (Windows 8) Problem: to make drawing easy to remember, users choose predictable points/lines
SLIDE 23
Unlock Patterns
Problems:
- Predictable patterns (sound familiar by now??)
- Smear patterns
- Side channels: apps can use accelerometer and
gyroscope to extract pattern!
SLIDE 24
What about Biometrics?
Authentication: What you are
Unique identifying characteristics to authenticate user or create credentials
- Fingerprints
- Iris scan
- Facial recognition
- Behavior characteristics (how one
performs actions): handwriting, typing, gait, etc.
- Voice recognition
- DNA profiling
- Electroencephalogram (EEG) signatures
SLIDE 25
Advantages of Biometrics
Nothing to remember Passive Can’t share (generally) With perfect accuracy, could be fairly unique
SLIDE 26
What are some disadvantages with biometrics?
SLIDE 27
Issues with Biometrics
Private, but not secret
- Maybe encoded on the back of an ID card?
- Maybe encoded on your glass, door handle, ...
- Sharing between multiple systems?
Revocation is difficult (impossible?)
- Sorry, your iris has been compromised, please create a new one...
Physically identifying
- Soda machine to cross-reference fingerprint with DMV?
Birthday paradox
- With false accept rate of 1 in a million, probability of false match is above 50% with only 1609 samples
Legal implications
- Biometrics not protected by 4th amendment
SLIDE 28
Risks with Biometrics
SLIDE 29
Attacking Biometrics
An adversary might try to steal biometric info
- Malicious fingerprint reader
- Consider when biometric is used to derive a cryptographic key
- Residual fingerprint on a glass
Example: Apple’s Touch ID
SLIDE 30
Attacking Biometrics
[Starbug -- http://istouchidhackedyet.com/]
SLIDE 31
Attacking Biometrics
[Starbug -- http://istouchidhackedyet.com/]
SLIDE 32
Apple Face ID Vulnerabilities
SLIDE 33
Good luck with everything!