WEBVTT 00:00:00.000 --> 00:00:07.130 align:middle line:90% 00:00:07.130 --> 00:00:10.080 align:middle line:84% Welcome to the Broken Authentication session. 00:00:10.080 --> 00:00:13.930 align:middle line:84% In this first part, we will focus on threat analysis. 00:00:13.930 --> 00:00:16.510 align:middle line:84% We will take our time to dig into authentication flaws 00:00:16.510 --> 00:00:17.710 align:middle line:90% details. 00:00:17.710 --> 00:00:21.190 align:middle line:84% Then we will discuss how the system can be harmed, 00:00:21.190 --> 00:00:23.770 align:middle line:84% the impact of successful exploitation, 00:00:23.770 --> 00:00:25.840 align:middle line:84% and give you some insights to identify who 00:00:25.840 --> 00:00:28.370 align:middle line:90% may want to harm your system. 00:00:28.370 --> 00:00:31.810 align:middle line:84% Let's put things simple: in web applications context, 00:00:31.810 --> 00:00:36.020 align:middle line:84% authentication is the act of providing user's identity. 00:00:36.020 --> 00:00:39.690 align:middle line:84% Authentication and authorization are two different things. 00:00:39.690 --> 00:00:42.710 align:middle line:84% The former is used to prove identity, 00:00:42.710 --> 00:00:45.590 align:middle line:90% and the later, access writes. 00:00:45.590 --> 00:00:48.260 align:middle line:84% Authentication in web application context 00:00:48.260 --> 00:00:50.630 align:middle line:90% is far beyond the login form. 00:00:50.630 --> 00:00:53.780 align:middle line:84% The signup, recover password, and the process 00:00:53.780 --> 00:00:56.840 align:middle line:84% by which the server maintains the state of the entity 00:00:56.840 --> 00:00:59.960 align:middle line:84% interacting with it for session management 00:00:59.960 --> 00:01:02.780 align:middle line:84% are also authentication mechanisms. 00:01:02.780 --> 00:01:05.660 align:middle line:84% To identify the party interacting with the system, 00:01:05.660 --> 00:01:08.960 align:middle line:84% such party has to provide authentication factors. 00:01:08.960 --> 00:01:10.730 align:middle line:84% Authentication factors can be grouped 00:01:10.730 --> 00:01:12.920 align:middle line:90% in these three main classes. 00:01:12.920 --> 00:01:15.110 align:middle line:84% Security research has determined that, 00:01:15.110 --> 00:01:18.890 align:middle line:84% for a positive authentication, elements from at least two, 00:01:18.890 --> 00:01:23.060 align:middle line:84% and preferably all three, classes should be verified. 00:01:23.060 --> 00:01:26.360 align:middle line:84% Traditional web application forms use the weakest-- 00:01:26.360 --> 00:01:28.700 align:middle line:84% single factor authentication, just 00:01:28.700 --> 00:01:32.090 align:middle line:84% requiring a knowledge factor, the password. 00:01:32.090 --> 00:01:34.580 align:middle line:84% When passwords leak, then this knowledge 00:01:34.580 --> 00:01:38.260 align:middle line:84% becomes shared knowledge, and it is no more a secret. 00:01:38.260 --> 00:01:40.630 align:middle line:84% When you you're logging in, you're saying, 00:01:40.630 --> 00:01:44.200 align:middle line:84% "I'm john.doe@somehost.com, and to prove you that, 00:01:44.200 --> 00:01:47.240 align:middle line:84% take my password and check it against your records". 00:01:47.240 --> 00:01:49.460 align:middle line:84% The server takes your email and password 00:01:49.460 --> 00:01:52.680 align:middle line:84% and looks up the database for matching records. 00:01:52.680 --> 00:01:54.750 align:middle line:84% This is no different when someone else 00:01:54.750 --> 00:01:57.270 align:middle line:84% takes your email and password and performs the login 00:01:57.270 --> 00:01:58.890 align:middle line:90% on your behalf. 00:01:58.890 --> 00:02:01.870 align:middle line:84% Yes, it does, and in our exploitation session, 00:02:01.870 --> 00:02:04.230 align:middle line:84% we will change several authentication flaws together 00:02:04.230 --> 00:02:05.880 align:middle line:90% to get admin access. 00:02:05.880 --> 00:02:08.490 align:middle line:84% Let's first discuss attack vectors, impact, 00:02:08.490 --> 00:02:10.860 align:middle line:90% and threat agents. 00:02:10.860 --> 00:02:14.040 align:middle line:84% A simple search for username password combination lists 00:02:14.040 --> 00:02:16.530 align:middle line:84% will return millions of records as a result 00:02:16.530 --> 00:02:18.330 align:middle line:90% of authentication data leaks. 00:02:18.330 --> 00:02:20.220 align:middle line:84% Fitting this list in a software tool 00:02:20.220 --> 00:02:23.600 align:middle line:84% will be enough to compromise several web applications. 00:02:23.600 --> 00:02:26.120 align:middle line:84% There are plenty of free brute force automated attacking 00:02:26.120 --> 00:02:26.860 align:middle line:90% tools. 00:02:26.860 --> 00:02:29.300 align:middle line:84% It is just a matter of setting your target application 00:02:29.300 --> 00:02:31.820 align:middle line:84% and provide the username password lists, 00:02:31.820 --> 00:02:35.150 align:middle line:84% or even just let it compute all possible combinations. 00:02:35.150 --> 00:02:38.240 align:middle line:84% The most common authentication issues are well documented, 00:02:38.240 --> 00:02:40.760 align:middle line:84% and the information is generally available and easy 00:02:40.760 --> 00:02:42.230 align:middle line:90% to understand. 00:02:42.230 --> 00:02:45.800 align:middle line:84% Sometimes, your own application can be used against itself, 00:02:45.800 --> 00:02:48.950 align:middle line:84% abusing other issues, such as user enumeration, 00:02:48.950 --> 00:02:51.680 align:middle line:84% help compromising authentication. 00:02:51.680 --> 00:02:54.710 align:middle line:84% An attacker with access to a victim's account 00:02:54.710 --> 00:02:56.840 align:middle line:84% might be able to lock the victim out 00:02:56.840 --> 00:02:59.360 align:middle line:84% by replacing its email or passwords. 00:02:59.360 --> 00:03:01.460 align:middle line:84% Attacker can also impersonate the victim 00:03:01.460 --> 00:03:03.420 align:middle line:90% and perform system transactions. 00:03:03.420 --> 00:03:05.510 align:middle line:84% Applications might not be able to distinguish 00:03:05.510 --> 00:03:09.140 align:middle line:84% between transactions initiated by the victim or the attacker. 00:03:09.140 --> 00:03:11.240 align:middle line:84% Depending on the application domain, 00:03:11.240 --> 00:03:13.490 align:middle line:84% attackers with access to victims' accounts 00:03:13.490 --> 00:03:16.500 align:middle line:84% might be able to perpetrate some kind of fraud. 00:03:16.500 --> 00:03:20.660 align:middle line:84% Attackers will always be able to gather victim's profile data. 00:03:20.660 --> 00:03:24.340 align:middle line:84% Asking for ransom is quite common nowadays. 00:03:24.340 --> 00:03:28.660 align:middle line:84% Unfortunately, you're fighting virtually anyone and anything. 00:03:28.660 --> 00:03:30.400 align:middle line:84% There are fully automated networks 00:03:30.400 --> 00:03:33.580 align:middle line:84% of computers trying to exploit authentication in several web 00:03:33.580 --> 00:03:35.950 align:middle line:84% applications, just using credential stuffing 00:03:35.950 --> 00:03:39.040 align:middle line:84% attacks based on leaked authentication data. 00:03:39.040 --> 00:03:41.950 align:middle line:84% It is fairly easy to a non-tech malicious actor 00:03:41.950 --> 00:03:44.740 align:middle line:84% to perpetrate a brute force attack such as credential 00:03:44.740 --> 00:03:46.630 align:middle line:90% stuffing. 00:03:46.630 --> 00:03:48.910 align:middle line:84% Even just stealing user profile data 00:03:48.910 --> 00:03:51.550 align:middle line:84% will be rewarding since this data will always 00:03:51.550 --> 00:03:53.920 align:middle line:90% be valuable to someone else. 00:03:53.920 --> 00:03:56.890 align:middle line:84% Sometimes, authentication flaws, such as default 00:03:56.890 --> 00:03:59.950 align:middle line:84% or weak passwords, are abused inside the organization 00:03:59.950 --> 00:04:02.230 align:middle line:90% as a way to escalate privileges. 00:04:02.230 --> 00:04:05.230 align:middle line:84% Access to sensitive information may have a huge business 00:04:05.230 --> 00:04:07.420 align:middle line:90% impact. 00:04:07.420 --> 00:04:09.940 align:middle line:84% You'll find this table in the OWASP Top 10. 00:04:09.940 --> 00:04:13.370 align:middle line:84% Pause the video and take your time to carefully read it. 00:04:13.370 --> 00:04:16.279 align:middle line:84% In the next part, we will exploit several authentication 00:04:16.279 --> 00:04:20.079 align:middle line:84% flaws in order to access the application as admin. 00:04:20.079 --> 00:04:21.000 align:middle line:90%