SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Web & Auth)
3.1 Authentication Methods
(a) In the lectures you learned that authentication can be done based on three factors. Name all three of them and provide an example for each one.
(b) Following a cyber attack, a database containing user credentials was exposed. The database contained the following user names and password hashes. Try to find out as much as possible about each user’s password. What strategies were most helpful?
Copyright By PowCoder代写 加微信 powcoder
Name Password Hash
alice ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f bob cbe6beb26479b568e5f15b50217c6c83c0ee051dc4e522b9840d8e291d6aaf46 charlie ab73111063742562160baa2d3c74f7e8ccbd369430922d2afa699fd21fdbcd79 dave 4938ae51a2c6df81f5ed9c034ac024c4565a898d50acf268228bc537e53a3ba0 eve a5c5ad14eb56a776e9c3a83314691bf045d03cbc931f43a6ec447e1dae85ac05 frank ab73111063742562160baa2d3c74f7e8ccbd369430922d2afa699fd21fdbcd79
Solution: Authentication can happen based on something you know (e.g. passwords), some- thing you have (e.g. tokens) and/or something you are (e.g. biometric features).
Name Password
alice password123
bob correcthorsebatterystaple (siehe https://xkcd.com/936/) charlie 349523451093856451 (probably unrecognizable, but same as frank) dave N(7yf$em*yp (probably unrecognizable)
eve p455w0rd
frank 349523451093856451 (probably unrecognizable, but same as charlie)
(c) Explain why even if only strong passwords were used, simple hashing without salt would still be a bad idea.
Solution: Even if passwords are strong enough to not appear in rainbow tables, same passwords can still be identified as being the same. That can help an attacker to correlate which accounts belong to the same user for example.
(d) In which cases of attack would so-called pepper help to keep passwords secure? 入包含盐和散列密码
Solution: If criminals achieve access to the database which contains the salts and hashed passwords, they would be able to perform dictionary attacks. If, however, a pepper-value is used in the application layer, access to the database alone is not sufficient anymore for this kind of attack.
(e) In the lecture you learned a formula to approximate the entropy of a password based on it’s alphabet and length. Use this formula to answer the following questions:
I Assuming a constant alphabet, which increase in length is needed in order to increase the entropy by a factor of k?
log |A|L′=k·log |A|L 22
L′ ·log2(|A|)=k·L·log2(|A|) L′ = k · L
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Web & Auth)
II Assuming a constant length, which increase of the alphabet is needed in order to increase the entropy by a factor of k?
log2 (|A′|)L = k · log2 |A|L L · log2 (|A′|) = k · L · log2 (|A|)
log2 (|A′|) = k · log2 (|A|) log2 (|A′|) = log2 |A|k
|A′| = |A|k
3.2 Authentication Protocols
Given the protocols communication diagrams of both the admin and the client, describe the weakness and how to exploit it.
How can the client gain admin rights by listening on the communication channel?
Figure 1: Client communication
客户端可以监听管理员的通信,获得他的身份A和令牌T’。利用这一点,他可以超越验证,通 过发送管理员的证书而不是他自己的证书,来请求管理员可以访问的任何文件。
You find the following Java code running on a web server. The input parameter id is set using a URL parameter like: www.veryvulnerablewebsite.com/accountInfo?id=1
public static String getAccountInfo(String id) {
Solution: The client can listen on the admins communications, acquiring his identity A and token T’. Using this, he can surpass the verification and request any file the admin has access to by sending the admins credentials instead of his own.
String query =
因为id参数可以包含 有效的SQL代码。该 变量的内容没有经过 处 理,被st.executeQu ery(query)调用拦截 和执行。
(b) Give an example of an input which allows the user to read more data than intended.
(c) Which practices help to avoid SQL injections?
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Web & Auth)
Figure 2: Admin communication
“SELECT firstName, lastName FROM users WHERE id = ‘” + id + “‘”; Statement st = conn.createStatement();
ResultSet rs = st.executeQuery(query);
该漏洞被称为SQL注
入。它之所以可行是 (a) This code contains a security flaw. Where is it and how is it called?
Solution: The vulnerability is called SQL injection. It is possible because the id parameter can contain valid SQL code. The content of the variable is not sanitized and interpreded and executed by the st.executeQuery(query) call.
• 1’ OR ’1’ = ’1 would return every record from the table users.
• 1’ AND 1=0 UNION SELECT firstName, password FROM users WHERE ’1’ = ’1
would output first names and passwords from every user.
Fu ̈r weitere Experimente: https://hub.docker.com/r/vulnerables/web-dvwa
Solution: The best solution is to use prepared statements. With prepared statements, parts of the query are declared non-executable. These parts of the query can then contain arbitrary contents which are not interpreted by the query engine.
Input sanitation is often mentioned as a method to avoid code injections. However, the security is only based on the assumption that your sanitation is complete and covers all language features that would allow injections. Although this can be the case, it actually rarely is.
最好的解决办法是使用prepared statements。使用prepared statements,查询的部分被声明为不可 执行的。然后,查询的这些部分可以包含任意的内容,不被查询引擎所解释。输入净化经常被提 到,作为避免代码注入的一种方法。然而,安全只是基于这样的假设:你的净化是完整的,涵盖了 所有允许注入的语言特性。虽然情况可能是这样,但实际上很少是这样。
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 3 (Web & Auth)
3.4 Cross-Site Request Forgery
Assume the following pseudo-code is used by a service to handle orders, located at
http://supershop.example/order
def handler(request):
session = request.cookies.get(“session”) if not session:
user = get_session_attribute(session , if not user:
article = request.body[“article”] quantity = request.body[“quantity”] address = request.body[“address”]
user.process_order(article ,
虽然代码检查了一个 (a) Why is this code vulnerable? 登录的用户,但它并
quantity ,
包含攻击者控制的值 (b) How could an attacker exploit the vulnerability? 的请求。
Solution: An attacker could include code on a page he controls to send a request to http://supershop.example/order. A minimal HTML example could look like this:
一个隐藏的输 入,包含一个随机 的秘密值。这被称 为CSRF令牌。当收 到一个请求时,服 务器会将请求中的 令牌与用户的会话 状态联系起来,并 验证其有效性。还 有更多的方法,更 严肃的项目应该尽 量采用更多的方 (d) 法,但CSRF令牌不 依赖于用户是否有 一个现代的浏览 器,并且通常有良 好的库支持。
This would automatically execute the request when the attacker site is navigated to.
However, in modern browsers, this would not work as expected, since cookies are by default not sent on requests like these, but only when the user navigates to a site using a link or some other measure.
Solution: While the code checks for a logged-in user, it does not verify that the request was actually initiated by that user. Given the right conditions, an attacker could cause the user’s browser to send a request containing attacker-controlled values.
作,因为默认情况
(c) How would you mitigate this vulnerability?
Solution: All