Upload
chajim
View
221
Download
0
Embed Size (px)
Citation preview
8/13/2019 5 Ways to Lose Your User's Password
1/59
Copyright 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
5 ways to loseyour users Passwords
By Shalini Gupta
Runa DwibediPaladion Networks
8/13/2019 5 Ways to Lose Your User's Password
2/59
OWASP
Stealing password using
Browser Refresh Browser memory
Remember feature
Forget password feature SQL injection
8/13/2019 5 Ways to Lose Your User's Password
3/59
OWASP
Browser Refresh
#1
8/13/2019 5 Ways to Lose Your User's Password
4/59
OWASP
Browsers Refresh
Browsers store
Headers, POST variables sent to web server while fetchinga page
When a Refresh button is clicked, the request to load thecurrent page is re-submitted to server.
8/13/2019 5 Ways to Lose Your User's Password
5/59
OWASP
Pre-requisite
User leaves the browser window open Adversary gets physical access to the machine.
8/13/2019 5 Ways to Lose Your User's Password
6/59
OWASP
Step 1: Bob logged out of the application but did not close the browser.
You have been loggedYou have been successfully logged out.
8/13/2019 5 Ways to Lose Your User's Password
7/59
OWASP
Step 2: Alice gains access to his machine. She clicks Back button on the browser till shereaches the immediate page after login
8/13/2019 5 Ways to Lose Your User's Password
8/59
OWASP
Step 3: Alice clicks Refresh button to load this page
8/13/2019 5 Ways to Lose Your User's Password
9/59
OWASP
Step4: Alice clicks Retry on the pop up by browser and she gets logged in as BOB
8/13/2019 5 Ways to Lose Your User's Password
10/59
OWASP
Step 5: Alice intercepts this request with the web proxy, she is able to see Bobsusername & password
8/13/2019 5 Ways to Lose Your User's Password
11/59
OWASP
Solutions
Introduce an intermediate page Use salted hash technique
8/13/2019 5 Ways to Lose Your User's Password
12/59
OWASP
Under the hood
www.website.com/Myhome.asp
POST Login ID+Password
www.website.com/Myhome.asp
POST LoginID+Password
Browser Server
Intercept
Myhome.aspauthenticatesthe user andis displayedto user
Login.asp
Myhome.asp
Myhome.asp
Myhome.asp
8/13/2019 5 Ways to Lose Your User's Password
13/59
OWASP
Intermediate Page Solution
Redirect to Myhome.asp
POST Login ID+Password
Get Myhome.asp
Browser Server
Intercept
www.website.com/Myhome.asp
Get Myhome.asp
Authentication.asp
Verify theauthenticationtoken and servethe Myhome.asppage
Set anauthenticationtoken
Verifies theauthenticationtoken andinvalidates therequest
Login.aspAuthenticates theuser and assignssession token
Myhome.asp
Myhome.asp
8/13/2019 5 Ways to Lose Your User's Password
14/59
OWASP
Browser Memory
#2
8/13/2019 5 Ways to Lose Your User's Password
15/59
OWASP
Browser Memory
Username and password submitted throughweb page are stored in the browser memory
8/13/2019 5 Ways to Lose Your User's Password
16/59
OWASP
Pre-requisite
User leaves the browser window open afterlogging out.
Adversary gets physical access to the machine.
8/13/2019 5 Ways to Lose Your User's Password
17/59
OWASP
Step 1: Bob logged out of the application but did not close the browser
You have been successfully logged out.
8/13/2019 5 Ways to Lose Your User's Password
18/59
OWASP
Step 2: Alice views Browser memory and locates the credentials
8/13/2019 5 Ways to Lose Your User's Password
19/59
OWASP
Solution
The variable containing the clear text passwordshould be reset immediately after logon
Use salted hash technique
8/13/2019 5 Ways to Lose Your User's Password
20/59
OWASP
Remember feature#3
8/13/2019 5 Ways to Lose Your User's Password
21/59
OWASP
Two ways
Through the application Remember my loginoption
Saves a special cookie
Through the built-in feature of the browserBrowser stores username-password on hard drive at
particular locations
8/13/2019 5 Ways to Lose Your User's Password
22/59
OWASP
Pre-requisite
User activates features to remember logincredentials.
Adversary gets physical access to the machine.
8/13/2019 5 Ways to Lose Your User's Password
23/59
OWASP
The Attack - App. feature
Step 1: Bob logged out of application and closed the browser too.
Step 2:Alice gains access to his machine. She
- views cookie file in the local machine.
- She uses login credentials to log into the application
OR
- She overwrites her authentication token with Bobs token in hercookie file at her system.
8/13/2019 5 Ways to Lose Your User's Password
24/59
OWASP
The AttackBrowser feature
Bob turned IE/firefox browser to save password
8/13/2019 5 Ways to Lose Your User's Password
25/59
OWASP
Firefox user - Bob had turned firefox browser to save password through Rememberpasswords
8/13/2019 5 Ways to Lose Your User's Password
26/59
OWASP
While logging to the application the browser prompted with a dialog to save passwordand Bob chose Yes
8/13/2019 5 Ways to Lose Your User's Password
27/59
OWASP
Step1: Alice gains access to his machine. She retrieves the password from the storedlocation.
Alice clicks
FireFox-Alice can view Bobs password in clear text!
IE t th t d
8/13/2019 5 Ways to Lose Your User's Password
28/59
OWASP
IE stores them encrypted
Location :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW
Alice can still retrieve Bobs password
8/13/2019 5 Ways to Lose Your User's Password
29/59
OWASP
Solution
For "Remember My Login" The authentication details/token should not be stored in plain text
For "Remember password" Add the following code
- for password field
Display warning message about insecurities involved in a sharedcomputer environment.
Use workarounds For E.g. Small JavaScript snippets.
8/13/2019 5 Ways to Lose Your User's Password
30/59
OWASP
Forget Password Feature#4
8/13/2019 5 Ways to Lose Your User's Password
31/59
OWASP
The 3 ways to exploit
Using Hidden Fields
Using variables in URL
Using Improper process
8/13/2019 5 Ways to Lose Your User's Password
32/59
OWASP
Hidden Fields#4.1
8/13/2019 5 Ways to Lose Your User's Password
33/59
OWASP
Hidden Fields
Hidden Form Fields represent a convenientway to store data in the browser and are one
of the most common ways of carrying data.
8/13/2019 5 Ways to Lose Your User's Password
34/59
OWASP
Pre-requisite
Adversary knows a valid username
8/13/2019 5 Ways to Lose Your User's Password
35/59
OWASP
Step 1: Alice accesses the Forgot password page
Hidden field populated byusername paladiontest
8/13/2019 5 Ways to Lose Your User's Password
36/59
OWASP
Step 2: Alice sets a new password and changes the username to bobs and clicks on Login
Username in hidden field is changedfrom paladiontestto
paladiontest1
8/13/2019 5 Ways to Lose Your User's Password
37/59
OWASP
Alice changed Bobs password
Your password has been changed.
8/13/2019 5 Ways to Lose Your User's Password
38/59
OWASP
Solution
No critical data should be stored in hidden fields. The application should link the user Id to the
session information of the user.
8/13/2019 5 Ways to Lose Your User's Password
39/59
OWASP
Variables in URL#4.2
8/13/2019 5 Ways to Lose Your User's Password
40/59
OWASP
Variables in URL
Applications send parameters through thequery string.
8/13/2019 5 Ways to Lose Your User's Password
41/59
OWASP
Pre-requisite
Adversary knows a valid username
8/13/2019 5 Ways to Lose Your User's Password
42/59
OWASP
Step 1: Alice accesses the forget password page using web proxy
Username inURL
She inputs a new password and clicks submit
8/13/2019 5 Ways to Lose Your User's Password
43/59
OWASP
Step 2: Alice intercepts the request through proxy
Username inrequest
8/13/2019 5 Ways to Lose Your User's Password
44/59
OWASP
Step 3: Alice changes the username to Bob
Username changedto bob
8/13/2019 5 Ways to Lose Your User's Password
45/59
OWASP
Solution
No critical data should be sent in query string. The application should link the user Id to the
session information of the user.
8/13/2019 5 Ways to Lose Your User's Password
46/59
OWASP
Improper Processes#4.3
8/13/2019 5 Ways to Lose Your User's Password
47/59
OWASP
Improper Processes
Different ways to implement forgot passwordfeature
Secret question User details
8/13/2019 5 Ways to Lose Your User's Password
48/59
OWASP
Pre-requisite
Social Engineering techniques are applied
8/13/2019 5 Ways to Lose Your User's Password
49/59
OWASP
Step 1: Alice inputs bobs name into the username field and clicks on the Forgotpassword link.
8/13/2019 5 Ways to Lose Your User's Password
50/59
OWASP
Step 2: Alice fills Bobs information
8/13/2019 5 Ways to Lose Your User's Password
51/59
OWASP
Step 3: Alice enters the guessed answer
8/13/2019 5 Ways to Lose Your User's Password
52/59
OWASP
The new password
8/13/2019 5 Ways to Lose Your User's Password
53/59
OWASP
Solution
Short lived, one time use, SSL enabled linkmailed to user
8/13/2019 5 Ways to Lose Your User's Password
54/59
OWASP
SQL Injection#5
8/13/2019 5 Ways to Lose Your User's Password
55/59
OWASP
The SQL Injection
A well known attack
Specially crafted input manipulates SQL
Query Attackers can manipulate the database
8/13/2019 5 Ways to Lose Your User's Password
56/59
OWASP
Step 1: Alice logs in and accesses the Change password page
Enter the stringtest123;-- in the
new Password field
8/13/2019 5 Ways to Lose Your User's Password
57/59
OWASP
The Attack
The password is reset for all users.
The query
UPDATE SET Password =test123;-- WHERE Username = alice andold_Password = alice123
8/13/2019 5 Ways to Lose Your User's Password
58/59
OWASP
Solution
Strong input validation Maintain a white list
Parameterized queries
Parameterized stored procedures
8/13/2019 5 Ways to Lose Your User's Password
59/59
Thank You!!