5 Ways to Lose Your User's Password

8/13/2019 5 Ways to Lose Your User's Password

1/59

Copyright 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

http://www.owasp.org

5 ways to loseyour users Passwords

By Shalini Gupta

Runa DwibediPaladion Networks


2/59

OWASP

Stealing password using

Browser Refresh Browser memory

Remember feature

Forget password feature SQL injection


3/59

OWASP

Browser Refresh

#1


4/59

OWASP

Browsers Refresh

Browsers store

Headers, POST variables sent to web server while fetchinga page

When a Refresh button is clicked, the request to load thecurrent page is re-submitted to server.


5/59

OWASP

Pre-requisite

User leaves the browser window open Adversary gets physical access to the machine.


6/59

OWASP

Step 1: Bob logged out of the application but did not close the browser.

You have been loggedYou have been successfully logged out.


7/59

OWASP

Step 2: Alice gains access to his machine. She clicks Back button on the browser till shereaches the immediate page after login


8/59

OWASP

Step 3: Alice clicks Refresh button to load this page


9/59

OWASP

Step4: Alice clicks Retry on the pop up by browser and she gets logged in as BOB


10/59

OWASP

Step 5: Alice intercepts this request with the web proxy, she is able to see Bobsusername & password


11/59

OWASP

Solutions

Introduce an intermediate page Use salted hash technique


12/59

OWASP

Under the hood

www.website.com/Myhome.asp

POST Login ID+Password


POST LoginID+Password

Browser Server

Intercept

Myhome.aspauthenticatesthe user andis displayedto user

Login.asp

Myhome.asp

Myhome.asp

Myhome.asp


13/59

OWASP

Intermediate Page Solution

Redirect to Myhome.asp

POST Login ID+Password

Get Myhome.asp

Browser Server

Intercept


Get Myhome.asp

Authentication.asp

Verify theauthenticationtoken and servethe Myhome.asppage

Set anauthenticationtoken

Verifies theauthenticationtoken andinvalidates therequest

Login.aspAuthenticates theuser and assignssession token

Myhome.asp

Myhome.asp


14/59

OWASP

Browser Memory

#2


15/59

OWASP

Browser Memory

Username and password submitted throughweb page are stored in the browser memory


16/59

OWASP

Pre-requisite

User leaves the browser window open afterlogging out.

Adversary gets physical access to the machine.


17/59

OWASP

Step 1: Bob logged out of the application but did not close the browser

You have been successfully logged out.


18/59

OWASP

Step 2: Alice views Browser memory and locates the credentials


19/59

OWASP

Solution

The variable containing the clear text passwordshould be reset immediately after logon

Use salted hash technique


20/59

OWASP

Remember feature#3


21/59

OWASP

Two ways

Through the application Remember my loginoption

Saves a special cookie

Through the built-in feature of the browserBrowser stores username-password on hard drive at

particular locations


22/59

OWASP

Pre-requisite

User activates features to remember logincredentials.

Adversary gets physical access to the machine.


23/59

OWASP

The Attack - App. feature

Step 1: Bob logged out of application and closed the browser too.

Step 2:Alice gains access to his machine. She

- views cookie file in the local machine.

- She uses login credentials to log into the application

OR

- She overwrites her authentication token with Bobs token in hercookie file at her system.


24/59

OWASP

The AttackBrowser feature

Bob turned IE/firefox browser to save password


25/59

OWASP

Firefox user - Bob had turned firefox browser to save password through Rememberpasswords


26/59

OWASP

While logging to the application the browser prompted with a dialog to save passwordand Bob chose Yes


27/59

OWASP

Step1: Alice gains access to his machine. She retrieves the password from the storedlocation.

Alice clicks

FireFox-Alice can view Bobs password in clear text!

IE t th t d


28/59

OWASP

IE stores them encrypted

Location :

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW

Alice can still retrieve Bobs password


29/59

OWASP

Solution

For "Remember My Login" The authentication details/token should not be stored in plain text

For "Remember password" Add the following code

- for password field

Display warning message about insecurities involved in a sharedcomputer environment.

Use workarounds For E.g. Small JavaScript snippets.


30/59

OWASP

Forget Password Feature#4


31/59

OWASP

The 3 ways to exploit

Using Hidden Fields

Using variables in URL

Using Improper process


32/59

OWASP

Hidden Fields#4.1


33/59

OWASP

Hidden Fields

Hidden Form Fields represent a convenientway to store data in the browser and are one

of the most common ways of carrying data.


34/59

OWASP

Pre-requisite

Adversary knows a valid username


35/59

OWASP

Step 1: Alice accesses the Forgot password page

Hidden field populated byusername paladiontest


36/59

OWASP

Step 2: Alice sets a new password and changes the username to bobs and clicks on Login

Username in hidden field is changedfrom paladiontestto

paladiontest1


37/59

OWASP

Alice changed Bobs password

Your password has been changed.


38/59

OWASP

Solution

No critical data should be stored in hidden fields. The application should link the user Id to the

session information of the user.


39/59

OWASP

Variables in URL#4.2


40/59

OWASP

Variables in URL

Applications send parameters through thequery string.


41/59

OWASP

Pre-requisite

Adversary knows a valid username


42/59

OWASP

Step 1: Alice accesses the forget password page using web proxy

Username inURL

She inputs a new password and clicks submit


43/59

OWASP

Step 2: Alice intercepts the request through proxy

Username inrequest


44/59

OWASP

Step 3: Alice changes the username to Bob

Username changedto bob


45/59

OWASP

Solution

No critical data should be sent in query string. The application should link the user Id to the

session information of the user.


46/59

OWASP

Improper Processes#4.3


47/59

OWASP

Improper Processes

Different ways to implement forgot passwordfeature

Secret question User details


48/59

OWASP

Pre-requisite

Social Engineering techniques are applied


49/59

OWASP

Step 1: Alice inputs bobs name into the username field and clicks on the Forgotpassword link.


50/59

OWASP

Step 2: Alice fills Bobs information


51/59

OWASP

Step 3: Alice enters the guessed answer


52/59

OWASP

The new password


53/59

OWASP

Solution

Short lived, one time use, SSL enabled linkmailed to user


54/59

OWASP

SQL Injection#5


55/59

OWASP

The SQL Injection

A well known attack

Specially crafted input manipulates SQL

Query Attackers can manipulate the database


56/59

OWASP

Step 1: Alice logs in and accesses the Change password page

Enter the stringtest123;-- in the

new Password field


57/59

OWASP

The Attack

The password is reset for all users.

The query

UPDATE SET Password =test123;-- WHERE Username = alice andold_Password = alice123


58/59

OWASP

Solution

Strong input validation Maintain a white list

Parameterized queries

Parameterized stored procedures


59/59

Thank You!!

Documents

5 Ways to Lose Your User's Password