Section 7: Lab 2 & Authentication CSE 484 / CSE M 584 - PowerPoint PPT Presentation

Section 7: Lab 2 & Authentication CSE 484 / CSE M 584

Administrivia May 15 th May 25 th Final Project Checkpoint 1 Due @ Memorial Day: No Lecture 11:59pm Lab 2 Due @ 11:59pm Homework 3 Due @ 11:59pm May 22 nd May 29 th

More Lab 2 Hints

Lab 2 Hints: There are usually multiple ways to do the XSS exploits! Web ◦ Example: In Problem 1, window.open may fail because of popup blocking Requests ◦ What other JavaScript APIs or HTML elements can cause a web request from a page?

There are different ways to run JS on a page: Inline JS External JS files Extensions From the console (event handlers as (attached <script> (not in Lab 2, but (mostly for testing, strings inside HTML with src in HTML becoming very doesn’t save state on tags, <script> tags popular for web users) page refresh) <head> or <body> ) with embedded JS) You don’t need to know all of them for Lab 2, but you will need to use different approaches for different filters!

Lab 2 Hints: Executing JS Mixing HTML, JavaScript and URLs… which syntax are you using? <body onload="alert('hi');"></body> <script> HTML alert('hi'); </script> JavaScript For event handler attributes, the value is interpreted as JavaScript code and inserted into a function: > console.log(myImg.onload.toString()); "function onload(e) { alert('hi'); }" Will this iframe execute the script? <iframe src="example.com/?id=<script>alert('hi');</script>"/> Which language’s escape characters do we need to use? This is JS embedded in a URL This is a URL which means it Because the URL is loaded in an iframe, the code must be URL encoded will be executed in the context of the page within the iframe (if it has an XSS vulnerability)

Lab 2 Hints: Encoding Schemes Text can be encoded in different forms on web pages. Why do you think this is useful? See XSS Intro resource for a great overview of different schemes

Lab 2 Hints: SQL CREATE TABLE students ( Recall that SQL is a language used to manage and id int, query databases name varchar(255) ); Each database contains tables of data. The SELECT keyword is used to query tables and INSERT INTO students retrieve data. VALUES (1, 'Sam Wolfson'); What can possibly go wrong? SELECT * FROM students WHERE id = 1; DELETE FROM students OR 1 = 1; -- ; WHERE id = 1;

Authentication

Add biometrics • For example, keystroke dynamics or voiceprint Graphical passwords • Goal: easier to remember? no need to write down? Improving (?) Passwords Password managers • Examples: LastPass, KeePass, etc. (built into browsers) • Can have security vulnerabilities… Two-factor authentication • Leverage phone (or other device for authentication)

Password Manager Vulnerabilities Automatic autofill (a feature of many password managers) is convenient, but hard to make secure Subject to sweep attacks: stealing multiple passwords without user interaction https://www.usenix.org/node/184476

Redirect Sweep Attack Demo https://www.youtube.com/watch?v=qiiSuIE79No

Manual autofill (as secure as manual entry) Defenses Against Sweep Secure filling (more secure than manual entry) • Don’t let JavaScript read autofilled passwords Attacks • Site must submit form using HTTPS • Let form submit only if action matches action when password was saved

Two-factor Authentication To log in, you need to provide your credentials, and something else Examples of 2nd factors: ◦ Security questions ◦ Text, phone call, or email with temporary code ◦ Software or physical temporary code generator ◦ USB security key

2FA Poll! Poll: have you turned on 2-factor authentication for any of your accounts? A: Yes, whenever the option is available. B: Yes, if the website directly asks me to do so. C: Yes, but only for important accounts. D: Yes, but only when I’m forced to. E: No. Vote at: https://pollev.com/wolfson

Software-Based 2FA

Hardware-Based 2FA • USB authentication devices • Private key is stored on the security key, public key is stored by the website • Challenge response protocol: website sends a challenge (a string), security key signs it with the private key, website verifies the signature with the public key • More secure than temporary codes: one private key per account, only signs the challenge if it’s on the correct domain (Codes can be phished!)

Security Keys Aren’t Perfect… Hardware/firmware bugs can compromise its security In theory: supply chain attacks - introduce backdoor vulnerabilities in the factory/in transit

Secondary Factors Do Help! https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

Could We Replace Passwords? Passwords have many weaknesses ◦ Phishing, brute force guessing, password database dumps, password reuse, etc. Do better systems exist? What other authentication heuristics do we have? Any replacement would ideally be better than passwords in the areas of: ◦ Usability: easy-to-learn, efficient-to-use, web compatible ◦ Deployment: accessible, negligible cost ◦ Security: resilient to phishing, resilient to theft, hard to observe/imitate

Graphical Passwords Many variants… One example: Passfaces ◦ Assumption: easy to recall faces Problem: to make passwords easy to remember, users choose predictable faces

Graphical Passwords Another variant: draw on the image (Windows 8) Problem: to make drawing easy to remember, users choose predictable points/lines

Unlock Patterns Problems: ◦ Predictable patterns (sound familiar by now??) ◦ Smear patterns ◦ Side channels: apps can use accelerometer and gyroscope to extract pattern!

Authentication: What you are Unique identifying characteristics to What about authenticate user or create credentials • Fingerprints • Iris scan • Facial recognition Biometrics? • Behavior characteristics (how one performs actions): handwriting, typing, gait, etc. • Voice recognition • DNA profiling • Electroencephalogram (EEG) signatures

Advantages of Biometrics Nothing to remember Passive Can’t share (generally) With perfect accuracy, could be fairly unique

What are some disadvantages with biometrics?

Issues with Biometrics Private, but not secret ◦ Maybe encoded on the back of an ID card? ◦ Maybe encoded on your glass, door handle, ... ◦ Sharing between multiple systems? Revocation is difficult (impossible?) ◦ Sorry, your iris has been compromised, please create a new one... Physically identifying ◦ Soda machine to cross-reference fingerprint with DMV? Birthday paradox ◦ With false accept rate of 1 in a million, probability of false match is above 50% with only 1609 samples Legal implications ◦ Biometrics not protected by 4 th amendment

Risks with Biometrics

Attacking Biometrics An adversary might try to steal biometric info ◦ Malicious fingerprint reader ◦ Consider when biometric is used to derive a cryptographic key ◦ Residual fingerprint on a glass Example: Apple’s Touch ID

Attacking Biometrics [Starbug -- http://istouchidhackedyet.com/]

Attacking Biometrics [Starbug -- http://istouchidhackedyet.com/]

Apple Face ID Vulnerabilities

Good luck with everything!