Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"
•
1 like•152 views
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"
Similar to Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати" (20)
More from Dakiry
More from Dakiry (20)
Recently uploaded
Recently uploaded (20)
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати боятись їх тестувати"
- 1. AuthN and AuthZ How to stop confusing them and test effectively Diana Pinchuk
- 2. Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
- 3. Work at Very Good Security Organize QA Club Lviv Write on Medium About me
- 4. To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
- 6. A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP TOP 10 (2017)
- 7. OWASP API Security TOP 10 (2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN)
- 8. Even big companies fu*k up: Apple
- 9. Even big companies fu*k up: Reddit
- 11. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
- 12. Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
- 14. Authentication In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
- 15. AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
- 16. AuthN factors
- 17. MFA (Multi-factor authentication) Involves two or more authentication factors (something you know, something you have, or something you are)
- 18. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification => avoid it!
- 19. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) ○ event-based ○ time-based - SMS-based verification Reddit issue
- 20. Biometric AuthN
- 23. Single Sign-On (SSO) - Reduces password fatigue - Reduces IT costs - Less time spent re-entering passwords - Mitigates risk for access to 3rd-party sites
- 24. AuthN security
- 25. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
- 26. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
- 27. Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
- 28. Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
- 30. Authorization Authorization is the function of specifying access rights/ privileges to resources
- 32. Access control mechanisms - Attribute-based access control (ABAC) - Role-based access control (RBAC) - User-based access control (UBAC) - Rule-based access control - Time-based access control ...and a lot more
- 33. RBAC
- 35. OAuth 2.0
- 36. OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service.
- 37. OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
- 39. Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
- 41. Tokens Bearer token - anyone who carries the token has the right to use it.
- 42. Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
- 44. AuthZ security
- 45. OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References (IDOR)
- 46. Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
- 47. AuthN + AuthZ = IAM (Identity and Access Management)
- 48. Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
- 49. IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
- 50. Practice time!
- 51. Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
- 54. Conclusions
- 55. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
- 57. Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
- 58. Practice before the next interview
- 60. Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/
Editor's Notes
- https://www.theguardian.com/technology/2017/nov/29/macos-high-sierra-bug-apple-mac-unlock-blank-password-security-flaw
- Checksum verification is also a part of AuthN Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. Common configurations: Kerberos-based Smart card based Integrated Windows Authentication SAML (Security Assertion Markup Language)
- Single Sign-On Network-based security limits where users can log in from, and when they can log in. This is different from user authentication, which only determines who can log in. Use network-based security to limit the window of opportunity for an attacker and to make it more difficult for an attacker to use stolen credentials. Restrict Where and When Users Can Log In You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access the system. Two-Factor Authentication Two-factor authentication is the most effective way to protect your org’s user accounts. Certificate-Based Authentication Custom Login Flows Login flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user profile, and send the user through that flow when logging in.
- The knowledge factors: Something the user knows (e.g., a password, PIN) The ownership factors: Something the user has (ID card, cell phone holding a software token) The inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern)
- BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number,
- BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number, SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has. According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker. Advantages No additional tokens are necessary dynamically generated passcodes are safer to use Depending on the solution, passcodes that have been used are automatically replaced Disadvantages Users may still be susceptible to phishing attacks Mobile phone are not always available SIM cloning gives hackers access to mobile phone connections. Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Account recovery typically bypasses mobile-phone two-factor authentication. Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor. Mobile carriers may charge the user for messaging fees.
- BTW, SMS is not safe second factor. Hackers can relatively easily impersonate a user and convince a mobile phone service provider to change a target’s phone number, SMS-based verification suffers from some security concerns. Phones can be cloned, apps can run on several phones and cell-phone maintenance personnel can read SMS texts. Not least, cell phones can be compromised in general, meaning the phone is no longer something only the user has. According to a special publication from the National Institute of Standards and Technology (NIST) about Digital Identity Guidelines (800–63B), SMS is not to be used for Out-of-Band authentication because an attacker, through Social Engineering, could potentially induce a mobile operator to redirect the victim’s cell phone traffic to the attacker. Advantages No additional tokens are necessary dynamically generated passcodes are safer to use Depending on the solution, passcodes that have been used are automatically replaced Disadvantages Users may still be susceptible to phishing attacks Mobile phone are not always available SIM cloning gives hackers access to mobile phone connections. Text messages to mobile phones using SMS are insecure and can be intercepted by IMSI-catchers. Account recovery typically bypasses mobile-phone two-factor authentication. Modern smartphones are used both for receiving email and SMS. So if the phone is lost or stolen and is not protected by a password or biometric, all accounts for which the email is the key can be hacked as the phone can receive the second factor. Mobile carriers may charge the user for messaging fees.
- Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that he is who is says he is. Biometric authentication systems compare a biometric data capture to stored, confirmed authentic data in a database.
- SSO - log in with a single ID and password to gain access to any of several related systems
- OWASP Testing guide security Credentials Transported over an Encrypted Channel HTTP instead of HTTPS, redirect should be set up as well Default credentials admin/admin for example Weak lock out mechanism Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc Bypassing Authentication Schema For example, skip the log in page Vulnerable Remember Password For example, check the passwords stored in a cookie. Check hashing mechanism etc Browser cache weakness Any senstive data shouldn’t be cached Weak password policy Don’t allow ‘qwerty’ Weak security question/answer Pre-generated standard questions are error prone and could lead to the password theft Weak password change or reset functionalities Can a user change the password of another user? Is the password reset page vulnerable to CSRF? Weaker authentication in alternative channel Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
- OWASP Testing guide security Credentials Transported over an Encrypted Channel HTTP instead of HTTPS, redirect should be set up as well Default credentials admin/admin for example Weak lock out mechanism Lock after 3-5 unsuccessful attempts; how the account could be unclocked, is captcha used etc Bypassing Authentication Schema For example, skip the log in page Vulnerable Remember Password For example, check the passwords stored in a cookie. Check hashing mechanism etc Browser cache weakness Any senstive data shouldn’t be cached Weak password policy Don’t allow ‘qwerty’ Weak security question/answer Pre-generated standard questions are error prone and could lead to the password theft Weak password change or reset functionalities Can a user change the password of another user? Is the password reset page vulnerable to CSRF? Weaker authentication in alternative channel Alternative channels (like other sites, SSO, mobile apps) could be vulnerable
- BTW, quantum computing is coming
- To authorize is to define an access policy.
- It’s not even a single protocol, the spec is split between multiple definitions and protocols. OAuth is about how to get the token and how to use the token OAuth is a delegation protocol that provides authZ across systems OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems It enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
- OAuth is about how to get the token and how to use the token OAuth is a delegation protocol that provides authZ across systems OAuth replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable OAuth is focused on a small set of problems and solving them well, which makes it a suitable component within larger security systems
- Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope. Bearer token - anyone who carries the token has the right to use it. Bearer tokens have particular security properties. OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource. The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
- Refresh token
- Access token - an artifact issues by AuthZ server to a client that indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token (get new access token without asking for authorization again). It’s never sent to the protected resource. The client requests new access tokens without involving the resource owner. Has an ability to downgrade the scope. Bearer token - anyone who carries the token has the right to use it. Bearer tokens have particular security properties. OAuth tokens are opaque to the client, which means that the client has no need to look t the token itself. The client’s job is to carry the token, requesting it from te AuthZ server and presenting it to the protected resource. The AuthZ server’s job is to issue the token. And protected resource’s job is to validate the token
- Scopes only come into play in delegation scenarios, and always limit what an app can do on behalf of a user: a scope cannot allow an application to do more than what the user can do A set of rights at the protected resource. Scopes are defined by the protected resource, based on the API that it’s offering. Client can request certain scopes, and the AuthZ server can allow the resource owner to grant or deny particular scopes to a given client during its request.
- Directory traversal/file include Read or write files that are not intended to be accessible. Try to reach the file system, check the file extensions, form params etc Bypassing Authorization Schema Access resources without a privilege, access resources after logout etc Privilege escalation Use admin privilege Insecure Direct Object References (IDOR) Modify a parameter and try to access an object
- There are multiple components in an IAM system: provisioning (or on-boarding), accounts management, identity governance, identification (or authentication), access control (or authorization) and identity federation. IAM is a broad area, so the above components can be further divided. For example, provisioning talks about inbound/outbound provisioning of user accounts, just-in-time provisioning, approval workflows — accounts management talks about privileged accounts management, credential management, users/groups/roles management — identity governance talks about role engineering, identity analytics, segregation of duties, role consolidation, identity delegation, attestation, reporting, self-service, risk management, compliance — authentication talks about multi-factor authentication, adaptive/risk-based authentication — access control talks about access control based on attributes or roles and policies — identity federation talks about single sign on, single log out, session management, attribute sharing
- Keycloak is based on a set of administrative UIs and a RESTful API, and provides the necessary means to create permissions for your protected resources and scopes, associate those permissions with authorization policies, and enforce authorization decisions in your applications and services. Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource. For RESTful-based resource servers, that information is usually obtained from a security token, usually sent as a bearer token on every request to the server. For web applications that rely on a session to authenticate users, that information is usually stored in a user’s session and retrieved from there for each request.