Date post: | 08-Jun-2015 |
Category: |
Documents |
Upload: | owasp-khartoum |
View: | 323 times |
Download: | 2 times |
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP Khartoum6TH Meeting 4 Aug 2012
Top 10:A3Broken Authentication and Session
Management
Obay Osman AhmedOWASP Khartoum
2
ToC• Definition.
• Impact.
• Environments Affected.
• BA-SM in the wiled.
• Demo time.
• How to Protect Yourself.
• Warp Up.
• Q & A.
3
DefinitionAuthentication is the process of
verification that an individual or an entity is who it claims to be. (by submitting a user name or ID and one or more items of private information that only a given user should know).
Session Management is a process by which a server maintains the state of an entity interacting with it. (by a session identifier)
5
ImpactMay allow some or even all
accounts to be attacked.
Once successful, the attacker can do anything the victim could do.
#Privileged accounts are frequently targeted.
6
Environments Affected
All known web servers, application servers, and web application environments are susceptible to broken authentication and session management issues.
7
//BAD - DON'T USE public boolean login(String username, String
password) { boolean isAuthenticated = true; try { //make calls to backend to actually
perform login against datastore
if (! authenticationSuccess) { isAuthenticated = false; } } catch (Exception e)
{ //handle exc } return isAuthenticated; }
8
In the wield..-Timeouts.
-ID in URL.
-Credential Storage.
Methodologies: XSS, CSRF (Session riding attack), SQL injection, Session fixation….
It is Demo Time..
9
Let us break something…
10
How to Protect YourselfDon’t implement it by your self, OR
Define , Document, Enforce clear site’s policy, THEN
Check this critical areas:
“It is foolish to think that you’ll do better on your first try”.
11
Prevention Cont.Passwords (Strength, Use, Change
Controls, Recover and Storage).
Protecting Credentials in Transit.
Session ID Protection.
Account Lists.
Browser Caching.
Trust Relationships.
12
OWASP RecommendedMeet all requirements defined in
OWASP’s ASVS areas V2 (Authentication) and V3 (Session Management).
Have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
Summary & Conclusion
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
A1 –InjectionA2 –Cross-Site Scripting (XSS)A3 –Broken Authentication and Session ManagementA4 –Insecure Direct Object ReferenceA5 –Cross Site Request Forgery (CSRF)A6 –Security Misconfiguration(NEW)A7 –Insecure Cryptographic StorageA8 –Failure to Restrict URL AccessA9 –Insufficient Transport Layer ProtectionA10 –Unvalidated Redirects and Forwards (NEW)
OWASP Top 10 2010:
Ref.•ASVS requirements areas for Authentication (V2) and Session Management (V3)
•OWASP Authentication Cheat Sheet
•ESAPI Authenticator API
•ESAPI User API
•OWASP Development Guide: Chapter on authentication
•OWASP Testing Guide: Chapter on Authentication
Q & A
17