KYIV 2019
AuthN & AuthZ testing:
it’s not only about the login form
QA CONFERENCE #1 IN UKRAINE

Agenda
What’s the difference
Authentication and its spectrum
Authorization and OAuth 2.0
Identity and Access Management (IAM) and Keycloak
Conclusions and trivia quiz

Work at Very Good Security
Organize QA Club Lviv
Write on Medium
About me

To stop confusing it
It’s everywhere... and probably in your product
You were asked to test a login form at an interview
Why do we talk about it?

It’s about security

A2:2017-Broken Authentication (AuthN)
A5:2017-Broken Access Control (AuthZ)
OWASP 2017 TOP 10

OWASP API Security TOP 10 (end of 2019)
A1: Broken Object Access Level Control (AuthZ)
A2: Broken Authentication (AuthN)
A5: Missing Function/Resource Level Access Control

Even big companies fu*k up: Apple

Even big companies fu*k up: Reddit

How to distinguish?

Authentication
(AuthN)
Is it really you?
Authorization
(AuthZ)
Who you are and
what you can do

Boring theory
Authentication is the process of ascertaining that somebody
really is who they claim to be.
Authorization refers to rules that determine who is allowed
to do what.

Authentication
(AuthN)

Authentication
(AuthN)
Is it really you?

Boring theory
Authentication is the act of proving an assertion, such as the
identity of a computer system user.
In contrast with identification, the act of indicating a person or
thing's identity, authentication is the process of verifying that
identity.

AuthN spectrum

AuthN spectrum
- Passwords
- Cookies
- Single Sign-On
- Restrict Where and When Users Can Log In
- Two-Factor Authentication
- Certificate-Based Authentication
- Network-based security

AuthN factors

MFA (Multi-factor authentication)
Multi-factor authentication involves two or more authentication
factors (something you know, something you have, or something
you are)

MFA: phone-based methods
- Push-based
- QR code based
- One-time password (OTP)
- event-based
- time-based
- SMS-based verification => avoid it!

MFA: phone-based methods
- Push-based
- QR code based
- One-time password (OTP)
- event-based
- time-based
- SMS-based verification Reddit issue

Biometric AuthN

Single Sign-On (SSO)
Log in with a single ID and password to gain access to any of
several related systems
- reduces password fatigue
- reduces IT costs
- less time spent re-entering passwords
- mitigates risk for access to 3rd-party sites

AuthN security

OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10.Weaker authentication in alternative channel

OWASP Testing Guide
1. Credentials Transported over an Encrypted Channel
2. Default credentials Apple issue
3. Weak lock out mechanism
4. Bypassing Authentication Schema
5. Vulnerable Remember Password
6. Browser cache weakness
7. Weak password policy
8. Weak security question/answer
9. Weak password change or reset functionalities
10.Weaker authentication in alternative channel

Rainbow tables attack
Huge databases of precomputed hashes
User Password Password hash (SHA1)
Alice password 5baa61e4c9b93f3f0682250b6cf8331b
7ee68fd8
Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5
7197be24
Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28
8944539
James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f
eac81bff

Useful links
OWASP cheat sheet http://bit.ly/2NuEqEq
Have I been pwned https://haveibeenpwned.com/
Great self-security checklist from Volodymyr Styran
https://github.com/sapran/dontclickshit

Authorization
(AuthZ)

Authorization
(AuthZ)
Who you are and
what you can do

Authorization
Authorization is the function of specifying access rights/
privileges to resources, which is related to information security
and computer security in general and to access control in
particular.

AuthZ methods
Access Control lists (ACL)
Access controls of URLs
Secure objects and methods

Access control mechanisms
● Attribute-based access control (ABAC)
● Role-based access control (RBAC)
● User-based access control (UBAC)
● Context-based access control (CBAC)
● Rule-based access control
● Time-based access control
...and a lot more

RBAC

OAuth 2.0

OAuth 2.0
It’s an authorization delegation protocol, letting someone who
controls the a recourse allow a software application to access that
resource on their behalf without impersonating them.
It enables a third-party application to obtain limited access to an
HTTP service

OAuth 2.0 is
...about how to get the token and how to use the token
...replaces the password-sharing antipattern with a delegation
protocol that’s simultaneously more secure and more usable
...focused on a small set of problems and solving them well

Trust on first use (TOFU) principle
Enter credentials and permissions once
Assume correct for future requests
May expire over time or user logging
May apply across apps

Different levels of trust
Whitelist
Internal parties
Known business partners
Customer organizations
Trust frameworks
● Centralized protocol
● Traditional policy management
Graylist
Unknown entities
Trust on first use
● End user decisions
● Extensive auditing and logging
● Rules on when to move to the white
or black lists
Blacklist
Known bad parties
Attack sites
● Centralized protocol
● Traditional policy management

Tokens
Access token - indicates the rights that the client has been
delegated. Have an option to expire automatically
Refresh token - get new access token without asking for
authorization again.

Tokens
Bearer token - anyone who carries the token has the right to use it.

Scopes
A set of rights at the protected resource.
Scopes always limit what an app can do
on behalf of a user
https://auth0.com/blog/on-the-nature-of-oauth2-scopes/

OAuth 2.0 and AuthN
OAuth doesn’t dictate the AuthN technology, and AuthZ server is
free to choose any method.
The user authentication passes directly between the user (and their
browser) and the AuthZ server; it’s never seen by the client
application.

AuthZ security

OAuth 2.0 Security
A client needs to manage securing only its own client credentials
and the user’s tokens. And the breach of a single client would be
bad but limited in its damage to the users of that client.

OWASP Testing Guide
1. Directory traversal/file include
2. Bypassing Authorization Schema
3. Privilege escalation
4. Insecure Direct Object References

Useful links
OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV
OAuth 2.0 security spec http://bit.ly/2P95zyR
IDOR testing http://bit.ly/2P95Bqt

AuthZ + AuthN = IAM
(Identity and Access
Management)

Access Management
Authentication
● Single Sign-On
● Session Management
● Password Service
● Strong Authentication
Authorization
● Role-Based
● Rule-Based
● Attribute-Based
● Remote Authorization
User Management
● Delegated Administration
● User and Role Management
● Provisioning
● Password Management
● Self Service
Central User Repository
● Directory
● Data Synchronization
● Meta Directory
● Virtual Directory
Identity Management
Identity and Access
Management (IAM):
Providing the right people with
the right access at the right
time

IAM best practices
- Immutable Private Identifiers / Mutable Public Identifiers
- Decouple Core Information and PII from Transactional Data
- Decouple Biometrics from other PII
- Externalize Access Control Rules
- Self-Expressive Credentials
- Privilege Accounts are a Different Species
https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2

Practice time!

Try on your own
Keycloak
https://www.keycloak.org/docs/latest/getting_started/index.html

Conclusions

Authentication
(AuthN)
Is it really you?
Authorization
(AuthZ)
Who you are and
what you can do

Conclusions
For better understanding dig into system
Use heuristics to remember smth
Use cheat sheets and don’t trust your memory
Update your passwords and turn on MFA today

Practice before the next
interview

Testing challenges
http://testingchallenges.thetestingmap.org/index.php

Use `big list of naughty strings`
https://github.com/minimaxir/big-list-of-naughty-strings/

Thanks!
@diana_pinchuk
@pinchuk.diana