CS计算机代考程序代写 asp.net algorithm User Identity and Authentication

User Identity and Authentication
COMP6443 : Topic 2(Week 2)

COMP6443 – Week 3 – Injection

A NOTE ON ETHICS / LEGALITY
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system
PLEASE BE SUPER CAREFUL WHENEVER YOU’RE GENERATING NETWORK TRAFFIC

COMP6443 – Week 3 – Injection

“NOT-A-HOMEWORK”
What tools have you tried?

COMP6443 – Week 3 – Injection
SWAG: Stickers for those who will name more tools

“NOT-A-HOMEWORK”
What tools have you tried?

Burp
Fiddler
Wireshark
nMap
Nikto
ZAP

COMP6443 – Week 3 – Injection

“NOT-A-HOMEWORK”
What have you seen?

Requests
Messages headers
Files
Page layouts

COMP6443 – Week 3 – Injection
Small demo – just via chrome for Google translate

IDENTITY
What is IDENTITY?

COMP6443 – Week 3 – Injection

IDENTITY
What is DIGITAL identity?

A digital identity is information on an entity used by computer systems to represent an external agent
ISO/IEC 24760-1 “set of attributes related to an entity”
Various National digital identity systems

COMP6443 – Week 3 – Injection

IDENTITY ATTACKS
Social
Credential stealing
Compromised/Weak password
MitM

COMP6443 – Week 3 – Injection

OWASP TOP TEN
https://owasp.org/www-project-top-ten/

COMP6443 – Week 3 – Injection

OVERVIEW

Authentication → Session Management → Access Control(Authorization)
Is the user
who they claim
to be? If not
Is it still
that user? Is the user
allowed to access this thing?

COMP6443 – Week 3 – Injection

WEB AUTHENTICATION 2021
Username / Password
Password reset via email
2FA: SMS, Token, Apps (incl TOTP)
Active vs Passive 2FA
Authentication can be delegated (e.g. SSO, Oauth, JWT)
CAPTCHAs

COMP6443 – Week 3 – Injection

BAD AUTHENTICATION 101

COMP6443 – Week 3 – Injection

BAD AUTHENTICATION 101+1

COMP6443 – Week 3 – Injection

BAD AUTHENTICATION 101

COMP6443 – Week 3 – Injection

DEFAULT CREDENTIALS
“The ASD’s investigation found that internet-facing services still had their default passwords, admin:admin and guest:guest.”
http://www.zdnet.com/article/secret-f-35-p-8-c-130-data-stolen-in-australian-defence-contractor-hack/

COMP6443 – Week 3 – Injection

BRUTE FORCE (BEST FORCE)
Attempt logins with common passwords
Try known email + password combinations from previous breaches
1 User, Many Passwords: Brute Force
Many Users, Many Passwords: “Credential Stuffing”
Login rate-limiting and lockouts
CAPTCHA
Lockouts (iPhone)
Proactive Monitoring
User Communication

COMP6443 – Week 3 – Injection

INFORMATION DISCLOSURE

“Login failed: invalid username.”
“Login failed: invalid username or password.”

COMP6443 – Week 3 – Injection

ERRORS HANDLING

COMP6443 – Week 3 – Injection
SAWG: what this bad error message gives us?

ERRORS HANDLING

asp.net sql-server connection-timeout

COMP6443 – Week 3 – Injection

TRANSPORT LAYER SECURITY (WHY?)
MitM attack: forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server

COMP6443 – Week 3 – Injection

WIFI PINEAPPLE
Pen testing device for man-in-the-middle attacks

COMP6443 – Week 3 – Injection
PineApple DEMO

WIFI PINEAPPLE
Pen testing device for man-in-the-middle attacks

COMP6443 – Week 3 – Injection

PASSWORDS

COMP6443 – Week 3 – Injection

WHAT IS LOVE HASH?
One way function

COMP6443 – Week 3 – Injection

HASHING vs ENCRYPTION

COMP6443 – Week 3 – Injection
SWAG

HASHING vs ENCRYPTION
Hash algorithm is based on one-way function. It is practically impossible to revert the result back
Encryption is based on plain text and a key and suppose to have a decryption algorithm.

COMP6443 – Week 3 – Injection
SWAG

PASSWORD HASHES

COMP6443 – Week 3 – Injection

RAINBOW TABLE AND PASSWORDS DBS
https://haveibeenpwned.com/Passwords
passwords obtained from previous data breaches
DEMO

COMP6443 – Week 3 – Injection
Live DEMO or recorded via link

PASSWORD RESETS
E-Mail
Doesn’t matter if I’ve got the user’s inbox
Is the reset link generated securely?
Can I generate a link securely?
“Security” Questions
Can I get them off a user’s Facebook
Can I google the answer?
How many attempts do I get to answer these questions?
Password Security is
People Problem

COMP6443 – Week 3 – Injection

2019 NIST PASSWORD GUIDELINES
8 character min (human) overwise 6 character min
* Support at least 64 characters max length
* support All ASCII characters (incl 0x20)
* NO truncation of password when processed
* Allow at least 10 password attempts before lockout
* No SMS for 2FA (one-time password from an app)

Check password with known dictionaries
No complexity requirements
No password expiration period
No password hints
No knowledge-based authentication (no questions)

COMP6443 – Week 3 – Injection

Few more examples

Shout out: 0xed1337

COMP6443 – Week 3 – Injection

Few more examples

Shoutout: T-GOX Channel

COMP6443 – Week 3 – Injection

How to do Good authentication?
Good password policy
Rate limiting
Not allowing default usernames/passwords
Not using weak hashing algorithms
Multi Factor Authentication
Application registration/forgot password logic

COMP6443 – Week 3 – Injection

READING MATERIAL (REFERENCE)

Authentication what why and how!!
https://github.com/alex996/presentations/blob/master/auth.md

Shopify Authentication Bypass

Google CTF

COMP6443 – Week 3 – Injection

WEEK 2-3 ASSESSMENT

If you’re unsure, ask.
Please call out if you get stuck.
Support one another, your tutors are here to help!

COMP6443 – Week 3 – Injection

questions? email / openlearning
THANKS FOR LISTENING TO US RANT!

COMP6443 – Week 3 – Injection