security hole #12 lviv softserve-symphony solutions "lockpicking authentication"
TRANSCRIPT
![Page 1: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/1.jpg)
Authentication Lock-piking
by Nazar Tymoshyk, SoftServe
& Bohdan Serednyskyj,,
SoftServe
@Symphony-Solutions
![Page 2: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/2.jpg)
This is more educational topic, not motivational
![Page 3: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/3.jpg)
About me
![Page 4: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/4.jpg)
Feel free to ask me anything :)
![Page 5: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/5.jpg)
Best SoftServe Team – R&D
![Page 6: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/6.jpg)
Security Team
Nazar TymoshykCEH, HP FSTS, CIW WSS, Cisco SS, ZSS, CLE, DCTS, DCATS,NAI,CLP,NLTS,CNA,NCLA,MCTS
Bohdan SerednytskyiCEH, MSTC Security, ZSS
![Page 7: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/7.jpg)
Certifications
Ph.D in Security
Identity & Security
SoftServe experts are certified in HP Fortify Security Testing solution
![Page 8: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/8.jpg)
QA Engineer Security Analyst
In functional and performance testing,
the expected results are documented
before the test begins, and the quality
assurance team looks at how well the
expected results match the actual results
In security testing, security
analysts team is concerned
only with unexpected results
and testing for the unknown
and looking for weaknesses.
VS.
![Page 9: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/9.jpg)
Time for fun. Just relax
![Page 10: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/10.jpg)
Target – Authentication
![Page 11: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/11.jpg)
Key authentication problems• Authentication Technologies
• Design Flaws in Authentication
Mechanisms
• Bad Passwords
• Brute-Forcible Login
• Verbose Failure Messages
• Vulnerable Transmission of Credentials
• Password Change Functionality
• Forgotten Password Functionality
• “Remember Me” Functionality
• User Impersonation Functionality
• Incomplete Validation of Credentials
• Non-unique Usernames
• Predictable Usernames
• Predictable Initial Passwords
• Insecure Distribution of Credentials
• Implementation Flaws in
Authentication
• Fail-Open Login Mechanisms
• Defects in Multistage Login
Mechanisms
• Insecure Storage of Credentials
![Page 12: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/12.jpg)
Authentication Technologies
• HTML forms-based authentication
• Multifactor mechanisms, such as those combining passwords and physical
• tokens
• Client SSL certificates and/or smartcards
• HTTP basic and digest authentication
• Windows-integrated authentication using NTLM or Kerberos
• Authentication services
![Page 13: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/13.jpg)
Findings
![Page 14: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/14.jpg)
Brute-Forcible Login
• Login functionality presents an open invitation for an attacker to try to guess usernames and passwords and therefore gain unauthorized access to the application.
• If the application allows an attacker to make repeated login attempts with different passwords until he guesses the correct one, it is highly vulnerable even to an amateur attacker who manually enters some common usernames and passwords into his browser.
Many authentication mechanisms disclose usernames either implicitly
or explicitly. In a web mail account, the username is often the e-mail
address, which is common knowledge by design.
![Page 15: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/15.jpg)
Password problem
Administrative passwords may in fact be weaker than the password policy allows. They may have been set before the policy was in force, or they may have been set up through a different application or interface
![Page 16: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/16.jpg)
User enumerationSeverity: Critical (C )/P1
Issue detail:
In current login mechanisms, where an application requiresthe user to submit several pieces of information, or proceedthrough several stages, verbose failure messages or otherdiscriminators can enable an attacker to target each stage ofthe login process in turn, increasing the likelihood that hewill gain unauthorized access.
Even if the error messages returned in response to a valid and invalid username are superficially similar, there may be small differences between them that can be used to enumerate valid usernames.
Even if an application’s responses to login attemptscontaining valid and invalid usernames are identical in everyintrinsic respect, it may still be possible to enumerateusernames based on the time taken for the application torespond to the login request. Applications often performvery different back-end processing on a login request,depending on whether it contains a valid username
Recommendation: Report Authentication failure – not Invalid Username. Add additional field to enter some SMS/CVV code.
Verbose error log
![Page 17: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/17.jpg)
Recommended error messages by OWASP
Incorrect Response Examples
"Login for User foo: invalid password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
Correct Response Example
"Login failed; Invalid userID or password"
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
![Page 18: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/18.jpg)
Verbose Failure Messages
Identifying subtle differences in application responses using Burp Comparer
![Page 19: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/19.jpg)
Username enumeration demo
![Page 20: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/20.jpg)
Same JSESSIONID and Cookie for different sessions
mobiledemo demomob
![Page 21: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/21.jpg)
Password brute force Demo
![Page 22: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/22.jpg)
Password guessing attack
Password limit: 10 alpha-numeric symbols
Window limit: 13 alpha-numeric symbols
Required: 4 alpha-numeric symbols
1, 727 604 combination
Bruteforce - up to 5 minutes
No brute force prevention. Positions for 4 elements of
simple alpha-numeric password if password was wrong
remain the same!
Recommendation: Change password input approach. Or
server should send new position to device if wrong part of
password was submitted. Use more symbols than 4. Use 2
factor authentication as Google use (SMS to account owner
with temporary access code).
![Page 23: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/23.jpg)
WEAK PASSWORDS
Severity: Critical (C )/P1
Business impact: Critical (C )/P1
![Page 24: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/24.jpg)
Developer team face palm
v
v v
Login:***devpass: ***123
![Page 25: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/25.jpg)
Cookie testing
![Page 26: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/26.jpg)
Why so simple?
![Page 27: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/27.jpg)
Weak password reset
Password reset implemented here is weak as it has questions withinformation that can be easily obtained by 3rd party side
![Page 28: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/28.jpg)
WEAK CHANGE USER PASSWORD MECHANISM
Severity: Critical (C )/P1
Business impact: Critical
![Page 29: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/29.jpg)
Password change functionality
If the password change form is accessible only by authenticated users and does not contain a username field, it may still be possible to supply an arbitrary username.
The form may store the username in a hidden field, which can easily be modified.
If not, try supplying an additional parameter containing the username, using the same parameter name as is used in the main login form.
This trick sometimes succeeds in overriding the username of the current user, enabling you to brute-force the credentials of other users even when this is not possible at the main login.
Tricks
![Page 30: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/30.jpg)
Weak password reset – clear text
![Page 31: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/31.jpg)
Insecure Storage of CredentialsIt is common to encounter web applications in which user credentials are stored insecurely within the database. This may involve passwords being stored in clear text. But if passwords are being hashed using a standard algorithm such as MD5 or SHA-1, this still allows an attacker to simply look up observed hashes against a pre-computed database of hash values.
Some online databases of common hashing functions are available here:
http://passcracking.com/index.php
http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/script-hash-
md5.php
![Page 32: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/32.jpg)
Securing Authentication
• Use Strong Credentials
• Handle Credentials Secretively
• Validate Credentials Properly
• Prevent Information Leakage
• Prevent Brute-Force Attacks
• Prevent Misuse of the Password
Change Function
• Prevent Misuse of the Account
Recovery Function
![Page 33: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/33.jpg)
Recommended Book
![Page 34: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/34.jpg)
OWASP WebGoat, DVWA -Train yourself in Security
![Page 35: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/35.jpg)
Hope you like it!
![Page 36: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/36.jpg)
![Page 38: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/38.jpg)
Now attention
![Page 39: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/39.jpg)
More complex authentication
In more complex login mechanisms, where an application requires the user to submit several pieces of information, or proceed through several stages, verbose failure messages or other discriminators can enable an attacker to target each stage of the login process in turn, increasing the likelihood that he will gain unauthorized access.
![Page 40: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/40.jpg)
Step 1
![Page 41: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/41.jpg)
Step 2
![Page 42: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/42.jpg)
DEMO
![Page 43: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/43.jpg)
Shodan – camera scanner
Try this too:
http://178.165.59.13/
![Page 44: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/44.jpg)
THIS IS More COOL
http://77.52.149.88:8080/
![Page 46: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/46.jpg)
Consequences
• Stolen Developer Cloud access Certificates
• Malware and Spyware on PC and mobile
• Key loggers
• Money Lost – Paypal, webmoney, etc.
• Email – recovery and steal accounts
• SHAME!
![Page 47: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/47.jpg)
Recommendations
• Up to date JAVA and all other software
• Antivirus – Kasper rocks!
• Encrypted keys to infrastructure
• 2 factor authentication everywhere (email first)
• Verify yourself and your browser on …
•Attention
![Page 48: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/48.jpg)
adasdasd
![Page 49: Security Hole #12 Lviv SoftServe-Symphony Solutions "Lockpicking Authentication"](https://reader030.vdocuments.net/reader030/viewer/2022020207/55a31b801a28abe05c8b4844/html5/thumbnails/49.jpg)
Attempt to discover any rules regarding password quality:
1. Review the website for any description of the rules.
2. If self-registration is possible, attempt to register several accounts with different kinds of weak passwords to discover what rules are in place.
3. If you control a single account and password change is possible, attempt to change your password to various weak values.