User Identity and Authentication
COMP6443 : Topic 2(Week 2)
COMP6443 – Week 3 – Injection
A NOTE ON ETHICS / LEGALITY
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system
PLEASE BE SUPER CAREFUL WHENEVER YOU’RE GENERATING NETWORK TRAFFIC
COMP6443 – Week 3 – Injection
“NOT-A-HOMEWORK”
What tools have you tried?
COMP6443 – Week 3 – Injection
SWAG: Stickers for those who will name more tools
“NOT-A-HOMEWORK”
What tools have you tried?
Burp
Fiddler
Wireshark
nMap
Nikto
ZAP
COMP6443 – Week 3 – Injection
“NOT-A-HOMEWORK”
What have you seen?
Requests
Messages headers
Files
Page layouts
COMP6443 – Week 3 – Injection
Small demo – just via chrome for Google translate
IDENTITY
What is IDENTITY?
COMP6443 – Week 3 – Injection
IDENTITY
What is DIGITAL identity?
A digital identity is information on an entity used by computer systems to represent an external agent
ISO/IEC 24760-1 “set of attributes related to an entity”
Various National digital identity systems
COMP6443 – Week 3 – Injection
IDENTITY ATTACKS
Social
Credential stealing
Compromised/Weak password
MitM
COMP6443 – Week 3 – Injection
OWASP TOP TEN
https://owasp.org/www-project-top-ten/
COMP6443 – Week 3 – Injection
OVERVIEW
Authentication → Session Management → Access Control(Authorization)
Is the user
who they claim
to be? If not
Is it still
that user? Is the user
allowed to access this thing?
COMP6443 – Week 3 – Injection
WEB AUTHENTICATION 2021
Username / Password
Password reset via email
2FA: SMS, Token, Apps (incl TOTP)
Active vs Passive 2FA
Authentication can be delegated (e.g. SSO, Oauth, JWT)
CAPTCHAs
COMP6443 – Week 3 – Injection
BAD AUTHENTICATION 101
COMP6443 – Week 3 – Injection
BAD AUTHENTICATION 101+1
COMP6443 – Week 3 – Injection
BAD AUTHENTICATION 101
COMP6443 – Week 3 – Injection
DEFAULT CREDENTIALS
“The ASD’s investigation found that internet-facing services still had their default passwords, admin:admin and guest:guest.”
http://www.zdnet.com/article/secret-f-35-p-8-c-130-data-stolen-in-australian-defence-contractor-hack/
COMP6443 – Week 3 – Injection
BRUTE FORCE (BEST FORCE)
Attempt logins with common passwords
Try known email + password combinations from previous breaches
1 User, Many Passwords: Brute Force
Many Users, Many Passwords: “Credential Stuffing”
Login rate-limiting and lockouts
CAPTCHA
Lockouts (iPhone)
Proactive Monitoring
User Communication
COMP6443 – Week 3 – Injection
INFORMATION DISCLOSURE
“Login failed: invalid username.”
“Login failed: invalid username or password.”
COMP6443 – Week 3 – Injection
ERRORS HANDLING
COMP6443 – Week 3 – Injection
SAWG: what this bad error message gives us?
ERRORS HANDLING
asp.net sql-server connection-timeout
COMP6443 – Week 3 – Injection
TRANSPORT LAYER SECURITY (WHY?)
MitM attack: forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server
COMP6443 – Week 3 – Injection
WIFI PINEAPPLE
Pen testing device for man-in-the-middle attacks
COMP6443 – Week 3 – Injection
PineApple DEMO
WIFI PINEAPPLE
Pen testing device for man-in-the-middle attacks
COMP6443 – Week 3 – Injection
PASSWORDS
COMP6443 – Week 3 – Injection
WHAT IS LOVE HASH?
One way function
COMP6443 – Week 3 – Injection
HASHING vs ENCRYPTION
COMP6443 – Week 3 – Injection
SWAG
HASHING vs ENCRYPTION
Hash algorithm is based on one-way function. It is practically impossible to revert the result back
Encryption is based on plain text and a key and suppose to have a decryption algorithm.
COMP6443 – Week 3 – Injection
SWAG
PASSWORD HASHES
COMP6443 – Week 3 – Injection
RAINBOW TABLE AND PASSWORDS DBS
https://haveibeenpwned.com/Passwords
passwords obtained from previous data breaches
DEMO
COMP6443 – Week 3 – Injection
Live DEMO or recorded via link
PASSWORD RESETS
E-Mail
Doesn’t matter if I’ve got the user’s inbox
Is the reset link generated securely?
Can I generate a link securely?
“Security” Questions
Can I get them off a user’s Facebook
Can I google the answer?
How many attempts do I get to answer these questions?
Password Security is
People Problem
COMP6443 – Week 3 – Injection
2019 NIST PASSWORD GUIDELINES
8 character min (human) overwise 6 character min
* Support at least 64 characters max length
* support All ASCII characters (incl 0x20)
* NO truncation of password when processed
* Allow at least 10 password attempts before lockout
* No SMS for 2FA (one-time password from an app)
Check password with known dictionaries
No complexity requirements
No password expiration period
No password hints
No knowledge-based authentication (no questions)
COMP6443 – Week 3 – Injection
Few more examples
Shout out: 0xed1337
COMP6443 – Week 3 – Injection
Few more examples
Shoutout: T-GOX Channel
COMP6443 – Week 3 – Injection
How to do Good authentication?
Good password policy
Rate limiting
Not allowing default usernames/passwords
Not using weak hashing algorithms
Multi Factor Authentication
Application registration/forgot password logic
COMP6443 – Week 3 – Injection
READING MATERIAL (REFERENCE)
Authentication what why and how!!
https://github.com/alex996/presentations/blob/master/auth.md
Shopify Authentication Bypass
Google CTF
COMP6443 – Week 3 – Injection
WEEK 2-3 ASSESSMENT
If you’re unsure, ask.
Please call out if you get stuck.
Support one another, your tutors are here to help!
COMP6443 – Week 3 – Injection
questions? email / openlearning
THANKS FOR LISTENING TO US RANT!
COMP6443 – Week 3 – Injection