The Shepherd Project Automated security audits of web login - - PowerPoint PPT Presentation

the shepherd project
SMART_READER_LITE
LIVE PREVIEW

The Shepherd Project Automated security audits of web login - - PowerPoint PPT Presentation

The Shepherd Project Automated security audits of web login processes Benjamin Krumnow Employee at the TH Kln External PhD student (50%) at the OU (~2 years) H. Jonker, M. Van Eekelen, H. Vranken, S. Karsch Joined the


slide-1
SLIDE 1

The Shepherd Project

— Automated security audits of web login processes

slide-2
SLIDE 2

Benjamin Krumnow 27th March 2018

  • Employee at the TH Köln
  • External PhD student (50%) at the OU (~2

years)

  • H. Jonker, M. Van Eekelen, H. Vranken,
  • S. Karsch
  • Joined the Shepherd project in Feb/

Mar 2017

  • Karate, surfing, hiking & caving
  • Vegetarian
  • Fascinated by information security and

privacy

2

Benjamin Krumnow

slide-3
SLIDE 3

Benjamin Krumnow 27th March 2018 3

Project Members

Marc Sleegers

  • Initial Project

“Shepherd” [1]

  • B.Sc. in 2017

Hugo Jonker

  • Supervision in

all projects Jelmer Kalkman

  • Bachelor project
  • Single Sign On

and refactoring Alan Verresen

  • Bachelor project
  • Single Sign On

and refactoring

slide-4
SLIDE 4

Benjamin Krumnow 27th March 2018 4

Background: Login Process

slide-5
SLIDE 5

Benjamin Krumnow 27th March 2018 5

Background: Login Process

User Agent

(Browser)

Server

request/response credentials session cookies request (session cookies) response …

slide-6
SLIDE 6

Benjamin Krumnow 27th March 2018

  • Login process via an unencrypted channel
  • session can be hijacked or accounts stolen

6

Motivation: Firesheep 2010 [2]

WiFi (Router)

Wifi User Alice

Local (Wifi) network

Web Server

Traffic

  • utside

world

slide-7
SLIDE 7

Benjamin Krumnow 27th March 2018

  • Login process via an unencrypted channel
  • session can be hijacked or accounts stolen
  • Automated capturing of session cookies
  • Hijacking sessions by a “click”
  • Popular services like Facebook, Google and co. fixed this issue!

7

Motivation: Firesheep 2010 [2]

WiFi (Router)

Wifi User Alice

Firesheep User

Web Server

Unencrypted or weak encryption

slide-8
SLIDE 8

Benjamin Krumnow 27th March 2018 8

It’s 2018! What has changed since then?

WiFi (Router)

Wifi User Alice

Wifi

Firesheep User

Web Server

HTTPS WPA & WPA2

  • Encryption
  • Browser extensions and developments (Cookie flags, HSTS, HKPK)
  • New possible login mechanisms (Single-Sign-On, HTTP bearer tokens)
slide-9
SLIDE 9

Benjamin Krumnow 27th March 2018 9

How much have login process security measures been adapted? Research questions:

slide-10
SLIDE 10

Benjamin Krumnow 27th March 2018

  • 1. Are these vulnerabilities still valid?

—> Evaluate session stealing attacks in a lab and in the wild —> Evaluate attacks on Single-Sign-On based sessions

10

How much have login process security measures been adapted?

slide-11
SLIDE 11

Benjamin Krumnow 27th March 2018

  • Three kinds of vulnerabilities

evaluated in a lab

  • 1. All over HTTP -> Leaks even

credentials

  • 2. HTTPS for the login and fallback

to HTTP afterwards

  • 3. All over HTTPS, but misses the

secure flag. Single HTTP request sufficient for attack

11

Evaluation of vulnerabilities

User Agent Server

credentials session cookies request (session cookies) response

User Agent Server

credentials session cookies request (session cookies) response

User Agent Server

credentials session cookies request (session cookies) response

slide-12
SLIDE 12

Benjamin Krumnow 27th March 2018

  • 1. Become a MITM on the network

layer

  • ARP spoofing attack to re-route

traffic (IPv4 only!)

  • Modify package IP addresses
  • See [10] for more MITM attacks
  • 2. CSRF attack with modifying HTML

sent over HTTP

  • Injecting elements in HTTP

response within a HTML body

  • (Capture cookies)

12

Automatic attack

Wifi User Alice

Attacker Eve

Web Server

I am your gateway!

WiFi (Router)

Wifi User Alice

Web Server

<link type=“text/css” href=“http:/ /target_url/style.css”>

WiFi (Router)

Attacker Eve

Regular traffic

slide-13
SLIDE 13

Benjamin Krumnow 27th March 2018 13

Does that work for Single-Sign-On

slide-14
SLIDE 14

Benjamin Krumnow 27th March 2018 14

Attacking Sessions established with OAuth

Facebook

(Ressource/Authorisation Server)

cute.animals.com

(Service provider)

User Agent

(User)

Authorisation Request Authorisation Grant Authorisation Grant Access Token Access Token Protected Resource

  • Example OAuth flow
slide-15
SLIDE 15

Benjamin Krumnow 27th March 2018 15

How much have login process security measures been adapted?

slide-16
SLIDE 16

Benjamin Krumnow 27th March 2018

  • 1. Are the vulnerabilities still valid?

—> Evaluate session stealing attacks in a lab and in the wild —> Evaluate attacks on Single-Sign-On based sessions

  • 2. How many sites are still vulnerable to such attacks?
  • We need to look at the cookies
  • Analysing websites with Single-Sign-On logins for “homegrown”

sessions —> Build a scanner for websites to search for possible session attacks

16

How much have login process security measures been adapted?

slide-17
SLIDE 17

Benjamin Krumnow 27th March 2018 17

Scanning the web for login process security

slide-18
SLIDE 18

Benjamin Krumnow 27th March 2018 18

The scanner at a glance

Preparation stage Login stage Deduction stage

Find login pages Attempt to login Verify login Identify auth cookies Execute security scans Collect websites Acquire Credentials

slide-19
SLIDE 19

Benjamin Krumnow 27th March 2018 19

Preparation stage

Collect websites Acquire Credentials

  • Alexa Top 1 Million web sites
  • BugMeNot (BMN) - Service user-generated

credentials

  • Single-Sign-On (SSO) credentials
  • Importance: Unique criteria and study is

not biased by relying on the BMN database

slide-20
SLIDE 20

Benjamin Krumnow 27th March 2018 20

Login stage

Find login pages Attempt to login Verify login

  • 1. Traverse web sites
  • Assumption: login page is reachable from

landing page

  • Landing page, urls, clickable elements, brute

force, urls 2nd level

  • 2. Coverage of 4 login types
slide-21
SLIDE 21

Benjamin Krumnow 27th March 2018

  • 3. Verify successful logins
  • Disappearing of the password field
  • Getting blocked, account is restricted,

captchas, page switch

  • Presence of account details, keyword “logout” or

login area

21

Login stage

Find login pages Attempt to login Verify login

slide-22
SLIDE 22

Benjamin Krumnow 27th March 2018

  • Finding authentication cookies
  • Working verification function necessary
  • Eliminate cookies, which do not contribute to the

login

  • Previous work as solution Mundada et al. (2016) and

Calzavara et al. (2014) [7,8]

  • Large search space, because any subset is

possible (2n, exponential in n)

  • Fast reduction by removing supersets of A and all

subsets (power set) of ¬A

22

Deduction stage

Identify auth cookies Execute security scans

B is a superset

  • f A (B⊇A)[6]
slide-23
SLIDE 23

Benjamin Krumnow 27th March 2018

  • Execute security scans
  • Cookie Flags: SameOrigin, Secure, HTTPOnly
  • HSTS and HKPK detection
  • Cookie fixation

23

Deduction stage

Identify auth cookies Execute security scans

slide-24
SLIDE 24

Performing the study

slide-25
SLIDE 25

Benjamin Krumnow 27th March 2018

  • 1. Build credential pool for logging in

1.1. Creating fake Single Sign On (SSO) accounts 1.2. Source credentials from BugMeNot with a static scanner


  • 2. Scanning with a dynamic scanner (Selenium)

2.1.~65K domains with BugMeNot credentials 2.2. Alexa top 1 Million with SSO credentials

25

The study

slide-26
SLIDE 26

Benjamin Krumnow 27th March 2018 26

Overview BugMeNot

Sourcing Alexa 1 M (late Feb)

  • No. of credentials: 131,034
  • No. of sites : 50,840
  • refresh before scan
  • No credentials for : ~949K
  • Errors : 222
  • Error 404 - Bug

< 100k < 200k < 300k < 400k < 500k < 600k < 700k < 800k < 900k < 1M 5000 10000 15000 20000

1,388 1,804 1,912 2,326 2,584 3,464 4,423 6,433 8,154 18,352 Sites with credentials within in the Alexa 1M

slide-27
SLIDE 27

Benjamin Krumnow 27th March 2018 27

BugMeNot: old vs new set

Previous results (late Oct):

  • Fresh Alexa Top 1M dataset
  • gave us ~59K domains vs. ~50K
  • 14,888 domains were missing in the new set
  • 6,118 new sites
  • Overall: 65,728 domains
slide-28
SLIDE 28

Scanning

slide-29
SLIDE 29

Benjamin Krumnow 27th March 2018

  • 2 Servers, 5 browser instances each: ~7.500 sites per machine a day
  • Average scanning time: 61 seconds
  • Average performance to find session cookies
  • Duration: 51 seconds
  • Executions: 11,7 (∅ 8 cookies)
  • Session cookies found: 1,5
  • SSO scanner still under development:
  • Currently limited to Facebook
  • Today: Early results with 500 websites
  • Goal before the conference 100K

29

Runtime performance

slide-30
SLIDE 30

Benjamin Krumnow 27th March 2018 30

Performance of the scanner

Procedure BMN
 65728 % SSO
 ~300 % Login page detected 38421 58% 79 26% Authenticated 11445 61K: 18% 38K: 29% 35 44% Verified LP: 4790 LA: 5858 41%
 51% 7 20% Session cookies found 6378 (7105) 89%

  • Failed scans

4449 6%

  • Captchas

2341 3%

slide-31
SLIDE 31

Benjamin Krumnow 27th March 2018 31

Security Results

Detection BMN 11445 % Deducted (6379) % Header HSTS1 1416 12% 5521 77% HKPK2 76 0,6% 43 0,6% Cookies
 Flags No SameSite 0% 0% No secure

(but HSTS)

6086 (214) 53% 2693 (50) 42% No HTTPOnly 4907 42% 2639 41% Cookies Fixation 736 6,4% 175 2,7%

1) HTTP Strict Transport Security 2) HTTP Public Key Pinning

slide-32
SLIDE 32

Benjamin Krumnow 27th March 2018

  • Chances for False-Positives and False-Negatives
  • Login page found, login success, verifying
  • Websites with credentials but no login
  • Password fields can disappear
  • Simple usernames
  • Checking False-Positive
  • Reproducing runs is time consuming
  • Storage of pictures (Disk space, visible signs)
  • Current solution: Confidence level

32

False-Positive and False- Negatives

slide-33
SLIDE 33

Benjamin Krumnow 27th March 2018

  • Runtime performance
  • Selenium API contains slow functions, which can become tricky to

detect

  • Dynamic timeout estimation
  • Optimisation page traversing
  • Heuristics vs. probability model
  • Scan and execute vs. first scan, then execute
  • Stability
  • Selenium timeouts, running out of memory and browser crashes
  • Re-scanning vs. stage freezing [3]

33

Practicability Challenges

slide-34
SLIDE 34

Benjamin Krumnow 27th March 2018

  • Approach
  • Automatic logging into websites is a non-trivial task
  • Pattern-based approach with taking immediate actions has got

limitations

  • Suitability of selenium for web scraping (also see [3])???
  • Comparison with [7,8,9]
  • Vulnerabilities
  • HSTS still rarely used (same for SameSite flag and)
  • Secure flag missing for over 42 % with high certainty
  • Might be biased by BugMeNot database
  • Low HKPK usage <— Further investigation needed

34

Conclusions of the study

slide-35
SLIDE 35

Benjamin Krumnow 27th March 2018

  • Improve the scanner
  • Account for more countermeasures
  • Classify websites
  • Other login methods (Bearer tokens, OpenID,…)
  • Transforming more functions to the core framework (usage in future

projects)

35

Conclusions for the PhD project

slide-36
SLIDE 36

References

Benjamin Krumnow 27th March 2018 36

[1] Counting Sheep - Analysing online authentication security

Marc Sleegers, March 2017

[2] FireSheep


Eric Butler, 2010, https://codebutler.github.io/firesheep/tc12/, last seen 23th of March 2017.

[3] A.: Online tracking: A 1-million-site measurement and analysis

Engelhardt, S., Narayanan. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1388–1401 (2016)

[4] RFC6749 - The OAuth 2.0 Authorization Framework

Internet Engineering Task Force (IETF), 2012, https://tools.ietf.org/html/rfc6749

[5] BugMeNot

http://bugmenot.com/terms.php

[6] Subset

Wikipedia, https://en.wikipedia.org/wiki/Subset, last seen 22nd March 2018

slide-37
SLIDE 37

References

Benjamin Krumnow 27th March 2018 37

[7] Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web

Yogesh Mundada, Nick Feamster, and Balachander Krishnamurthy. In Proc. 11th Asia Conference on Computer and Communications Security (ASIACCS), pages 675{685, 2016

[8] Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication

Calzavara, Stefano, Gabriele Tolomei, Michele Bugliesi, and Salvatore Orlando. In Proceedings of the 23rd international conference on World wide web, pp. 189-200. ACM, 2014.

[9] Measuring login webpage security

Steven van Acker, Daniel Hausknecht, and Andrei Sabelfeld. The 32nd ACM SIGAPP Symposium On Applied Computing, 2017.

[10] A survey of man in the middle attacks

Mauro Conti, Nicola Dragoni, and Viktor Lesyk.. IEEE Communications Surveys & Tutorials, 18(3): 2027, 2016.

slide-38
SLIDE 38

Questions