web security summer term 2012
play

Web Security, Summer Term 2012 Brocken Authentication and Session - PowerPoint PPT Presentation

Aug 16, 2022 •388 likes •641 views

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

  1. IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1

  2. Table of Contents Introduction � Examples of Attacks � Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking Session Expiration Protection � Conclusion � Web Security, Summer Term 2012 7 Broken Authentication and Session Management 2

  3. Broken Authentication and Session Management ◮ Account credentials and sessions tokens are often not properly protected • A third can access to one’s account • Attacker compromise password, keys or authentication token ◮ Risks • Undermine authorization and accountability controls • cause privacy violation • Identity Theft ◮ Method of attack: use weaknesses in authentication mechanism • Logout • Password Management • Timeout • Remember me • . . . Web Security, Summer Term 2012 7 Broken Authentication and Session Management 3

  4. Brute Force Attack (Cont.) ◮ Automated process of trial and error • Guess a person username and password, credit-card number, cryptographic key, . . . • System sends a value and waits for the response, then tries another value, and so on. ◮ Many systems allow the use of weak passwords • An attacker will cycle through a dictionary (word by word) • Generates thousands (potentially millions) of incorrect guesses • When the guessed password is OK, attacker can access the account! ◮ Same technic can be used to guess encryption keys • When the size of the key is small, • An attacker will test all possible keys Web Security, Summer Term 2012 7 Broken Authentication and Session Management 4

  5. Brute Force Attack (Cont.) ◮ Normal Brute Force • For one username, • Attacker tests many passwords Username = Emmanuel Passwords = zizou, zidane, michael-schumacher, [pet names], [birthdays], [car names],... ◮ Reverse Brute Force • For one password, • Attacker tests many usernames • Efficient if the system has millions of users • The chance that many users use the same weak password dramatically increases. Usernames= Emmanuel, Jan, Eric, Guenter,... Password = 12345678 Web Security, Summer Term 2012 7 Broken Authentication and Session Management 5

  6. Session Spotting ◮ Attacker has the possibility to listen to the traffic of the victim • Listens to the traffic at the IP level (sniffer) ◮ Client connects to the HTTP server www.mysite.com • Visits a page containing a login form (url is HTTPS) • Receives a cookie containing his session ID • Sends his credentials encrypted (HTTPS) ◮ Attacker receives following information • Session ID • Sees that the user has sent his credentials (using an encrypted connection to the server) ◮ Attacker can use the cookie to be recognized as the legitimate user! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 6

  7. Replay Attack ◮ Suppose the Victim wants to log on a web site • Victim sends username and password • Web Site verifies the couple ◮ If an attacker can listen to the information transfered • Sniffer (unencrypted) / Trojan (encrypted) / Fishing / Man in the Middle . . . • He can log-in the system using Username and Password ◮ Solution: Use challenge response • The site sends a challenge • The message sent by the user is a response to this challenge Web Security, Summer Term 2012 7 Broken Authentication and Session Management 7

  8. Replay Attack (Cont.) Examples of Challenge/Response systems ◮ UBS (Swiss Bank) login system • User receives a card and an autonomous card reader system • when the user wants to log in, he first need to be recognized by the card • Types a PIN on the card reader • User receives a challenge sent by UBS • User types the challenge in the card reader • The card computes a response (can be used only one time) • The user types the response of the system on the screen • User is logged in! ◮ No replay Attack is possible here, since the information transferring on the network is only usable once. Web Security, Summer Term 2012 7 Broken Authentication and Session Management 8

  9. Session Fixation Attack ◮ Attacker creates a session on a web site • Sends a Request, • Get a Response containing a cookie (SESSION ID=1234abcd5678) • Attacker needs to maintain this session alive (send requests regularly) ◮ Attacker sends this Session ID to the victim • Can be included in a phishing. He sends an email containing the reference to the following URL : http: //www.gmail.com/?page=...&SESSION_ID=1234abcd . • Can be just a reference to an image on the targeted site: <img src="http://www.gmail.com/?SESSION_ID=1234abcd"> Web Security, Summer Term 2012 7 Broken Authentication and Session Management 9

  10. Session Fixation attack (Cont.) ◮ The session can be transfered using two means: • URL parameter • Cookie ◮ Targeted Web site receives the request from the victim • Receives a valid SESSION ID, • Resends it in the links contained in the page + as cookie • The page is not evaluated (browser expects an image or a javascript or a CSS or anything) • But the cookie is stored in the browser. ◮ Next time the victim visits the target • Browser sends automatically the cookie in the Request. • Victim logs in ◮ When the attacker checks the session he/she receives the rights of the victim! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 10

  11. Session Fixation Attack (Cont.) ◮ Do not accept preset or invalid session identifiers • It is the door for Session Fixation Attack Web Security, Summer Term 2012 7 Broken Authentication and Session Management 11

  12. Session Hijacking ◮ Credential/Session Prediction • Attacker deduce or guess the session id • Attacker can use the web site with victim’s privileges ◮ Rights are stored in a session, only the session id is used to link the browser and its session • HTTP is session-less • Information is not resent in each request ◮ Guessing the Session ID permits to be the user Web Security, Summer Term 2012 7 Broken Authentication and Session Management 12

  13. Session Hijacking: Example ◮ Many web sites generate session ID with proprietary algorithms • Increment static numbers • Can be more complicated (factoring in time and other computer specific variables) • Session ID is sent to the client ◮ An attack can be: • Attacker connects to the web site and gets a session ID • Attacker calculates or Brute Forces the next session ID • Attacker switches the value of the cookie and assumes the identity of the next user! Web Security, Summer Term 2012 7 Broken Authentication and Session Management 13

  14. Insufficient Session Expiration ◮ Can be exploited on a shared computing environment • More than one person has physical access to a computer ◮ Suppose logout function sends the victim to site’s home-page without deleting the session • Or more likely, that the user just closed the window without logging-out ◮ Another user could go through the browser’s history and view pages accessed by the victim • Since the victim’s session ID has not been deleted, • The attacker would be able to get the privileges of the victim. Web Security, Summer Term 2012 7 Broken Authentication and Session Management 14

  15. Protection ◮ Authentication relies on secure communication and credential storage ◮ SSL should be the only option for all authenticated parts of the application • Otherwise, listening to credential is possible ◮ All credentials should be stored in hashed or encrypted form • Attack on the database or file system should not compromise credentials • password should systematically be hashed • Private keys should never be stored clear text Web Security, Summer Term 2012 7 Broken Authentication and Session Management 15

  16. No self-made session or SSO system ◮ Only use inbuilt session management mechanism • Do not write or use secondary session handlers! ◮ Do not use “remember me” or home grown Single Sign On • Does not apply to robust SSO or federated authentication solutions ◮ Writing a robust and secure solution requires high knowledge in security • Cryptography • Storage • . . . Web Security, Summer Term 2012 7 Broken Authentication and Session Management 16

  17. Protection (Cont.) ◮ Use a single authentication mechanism • With appropriate strength and number of factors • Ensure it is hard to spoofing and replay attacks ◮ Do not make the mechanism overly complex • it may become subject to an attack Web Security, Summer Term 2012 7 Broken Authentication and Session Management 17

  18. Start login process from an encrypted page ◮ Do not allow the login process to start from an unencrypted pages ◮ Always start login from a second page • Encrypted • Using a fresh or new session token ◮ Prevents credential or session stealing • Phishing attacks • and Session Fixation attacks Web Security, Summer Term 2012 7 Broken Authentication and Session Management 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 1 Table of Contents Principles Request

675 views • 35 slides
Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

486 views • 25 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American Lingo Chips Crisps French Fries Chips Trash Can Rubish Bin Backpack Rucksack Bathroom/Restroom Toilet/Lou Soccer Football Cleats Boots Bus

449 views • 16 slides
Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL EXAM

826 views • 80 slides
Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Technische Universit at M unchen Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term 2012 Michael Bader: Algorithms of Scientific Computing Discrete Cosine Transform (DCT), Summer Term 2012 1

233 views • 19 slides
Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive writing Amazon Diary; (advertising, debates, Reading and writing letters to persuade); instructions. A range of poetry texts The Lightning Thief

193 views • 16 slides
Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

CSE 332 Data Abstractions: Sorting It All Out Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are We have covered stacks, queues, priority queues, and dictionaries Emphasis on providing one

1.09k views • 83 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow &amp; Lee Forsyth Construction and Engineering Welcome to the Summer 2012 edition of In Site. This edition covers the following topics: NEC3 issues for

220 views • 9 slides
Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

University Facilities Management September 14, 2012 Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities Management worked hard over the summer refreshing and repairing campus facilities and grounds in

447 views • 13 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term 2019 Summer Term Additional Headcount Task payments will be made by 19 July. We will let you know via the Broadcast alerts as usual when

577 views • 24 slides
Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128

Better than Brute-Force Optimized Hardware Architecture for Effcient Biclique Attacks on AES-128 Andrey Bogdanov*, Elif Bilge Kavun**, Christof Paar**, Christian Rechberger***, Tolga Yalcin** * KU Leuven, Belgium, ** HGI-RUB, Germany, ***

467 views • 22 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions?

DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions?

DTTF/NB479: Dszquphsbqiz Day 2 Announcements: Subscribe to piazza and start HW1 Questions? Roll Call Today: affine ciphers Sherlock Holmes, The Adventure of the Dancing Men (1898) Who got it? In a letter: 2 weeks later: 2 mornings

494 views • 13 slides
Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll Francisco Jess Monserrat Coll RedIRIS / Red.es RedIRIS / Red.es Jornadas de Seguridad Jornadas de Seguridad Buenos Aires, 4 de Octubre de 2005

1.04k views • 37 slides
What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera ,

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks AbdelRahman Abdou, David Barrera , Paul van Oorschot 1 Secure Shell (SSH) Protocol to enable remote logins and network services over an unsecured network. Typically used for

537 views • 27 slides
SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin

SECURITY MONITORING OF HTTP TRAFFIC USING EXTENDED FLOWS Thursday 27 th August, 2015 Martin Husk Petr Velan Jan Vykopal Introduction HTTP is the new IP and we want keep an eye on it. Large-scale monitoring of HTTP traffic was problematic:

500 views • 17 slides
k k text text The same key is used to encrypt the document before sending and decrypt it at

k k text text The same key is used to encrypt the document before sending and decrypt it at

Cryptographic methods: Why use cryptography? Can offer genuinely secure solutions to Brian Candler important security problems Updated by Hervey Allen Some governments forbid it Confidentiality Can I be sure no-one else can see my

845 views • 11 slides
TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda

TM TomcatCon Securing Tomcat For Your Environment Mark Thomas TM Introduction TM Agenda Background Passwords and configuration files Threats Web applications Keeping up to date Policy and process Operating system

842 views • 28 slides

More recommend