1 / 11

A3: Broken Authentication and Session Management

Introduction to the OWASP Top 10. A3: Broken Authentication and Session Management. HTTP is stateless…. This means a user’s credentials must be passed with each request Passing credentials creates an opportunity for attackers to steal the credentials

candra
Download Presentation

A3: Broken Authentication and Session Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to the OWASP Top 10 A3: Broken Authentication and Session Management

  2. HTTP is stateless… • This means a user’s credentials must be passed with each request • Passing credentials creates an opportunity for attackers to steal the credentials • URLs, form fields, and cookies offer varying levels of (in)security

  3. Encryption • First line of defense • Encoding ≠ Encryption! • Base64 is not secure • Use SSL to provide transport layer encryption of logged on sessions • And remember… • URLs could be exposed as referrer data • Any reference not using SSL exposes credentials

  4. Example • Anyone heard of FireSheep??? • Firefox plugin that made it easy to steal logon credentials • The technique used is known as SideJacking • Exploitation of a session key to gain access to information or services • Takes advantage of sites that allow/leak unencrypted session information • XSS attacks can also be used to steal session keys

  5. SideJacking Scorecard

  6. Protection • Universally deploy SSL • Any content that is brought in unencypted will expose session information! • Use an architecture that’s simple, centralized, and standardized… • CAS

  7. Introduction to the OWASP Top 10 A4: Insecure Direct Object References

  8. Insecure Direct Object Reference • The ability of a user to reference a file or function without permission • A failure of authorization control

  9. Common Mistake • Simply excluding unauthorized functions from menus and options • Malicious users can easily tamper with requests to the server • URL parameters, form data, cookies

  10. Prevention • Validate every direct object reference on the server • Verify type of access for files • Read, Write, Delete • Provide indirect references to files • OWASP Enterprise Security API (ESAPI) provides tools to do this

  11. References • OWASP Broken Authentication Wiki Page • http://www.owasp.org/index.php/Top_10_2010-A3 • SideJacking Scorecard • https://www.digitalsociety.org/2010/11/online-services-security-report-card • Implementing CAS • http://www4.nau.edu/its/sia/ • OWASP Direct Object Reference Wiki Page • http://www.owasp.org/index.php/Top_10_2010-A4 • OWASP ESAPI • http://www.owasp.org/index.php/ESAPI

More Related