Embed Size (px)
DESCRIPTION
In part 6 of Web Application Security 101 we will look into vulnerabilities effecting the authentication system. You will learn about password bruteforce attacks, cracking captures, bypassing the login system and more.
Citation preview
AuthenticationBreaking through the front door.
Types Of AuthenticationStandard: Basic, Digest, HTLM.
Custom: Login Forms, APIs, OpenID, OAuth, etc.
Types Of VulnerabilitiesInformation Leakage
Default Password
Account Bruteforce
Password Reset Abuse
Authentication Bypass
Man-in-the-middle (MITM)
Denial Of Service (DoS)
Information LeakageUsername enumeration via error messages.
Usernames are public information: e.g. sharepoint.
Usernames can be guessed: e.g. firstname.lastname.
Default PasswordsAvailable in product manuals and online.
Guessing attacks by combining org name, etc.
Install the product to check for hidden accounts.
Account BruteforceTrying various username/password combinations.
Changing between horizontal and vertical bruteforce.
Account LockoutThe number of incorrect attempts allowed before locking the account.
When accounts can be locked indefinitely this means Denial of Service.
The application needs to employ captchas plus temporary account lockouts.
Case SensitivityAccounts may not be case sensitive at all.
This increases the chances of successful bruteforce.
Password Reset AbuseDepending how it is implemented it may be used for account hijack attacks.
Probably vulnerable if relays on security questions as they are easy to guess.
Hacking Webmail 101An exercise of how well you know the victim.
Authentication BypassA-to-C.
SQL injection.
Business logic flaws.
A-to-CTypical in some home rounters.
Works like this: a, b (skipping), c.
SQL InjectionTypical attacks like ' or 1=1--.
SELECT username,password WHERE username='' or 1=1--' AND PASSWORD=''
Business Logic FlawsAny logic flow that can be used to bypass the login.
Cookie: is_authenticated=1
Man-in-the-middle (MITM)Works by attacking the network layer.
tcpdump -A -i en1tcpflow -i en1
Require ARP poisoning, DNS hijacking and other low-level network attacks.
Denial Of Services (DoS)Works by locking out all accounts.
Most effective if there is no automated account unlock process.
To SummarizeThere are many ways to authenticated.
Some methods are typically weaker than others.
Some applications support more than one ways to authenticate.
There are many types of attack like bruteforce, bypass, MITM and DoS.
LabLet's try some of these attacks for real.
