SlideShare a Scribd company logo

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма

Q
QAFest

The document discusses authentication (authn) and authorization (authz) in the context of security testing, focusing on their differences and importance in information security. It includes concepts like multi-factor authentication, OAuth 2.0, identity and access management (IAM), and various authentication methods, while providing practical insights and resources. Best practices for improving security and managing access rights are also highlighted along with testing challenges and resources for further understanding.

Education
1 of 69
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
KYIV 2019 AuthN & AuthZ testing: it’s not only about the login form QA CONFERENCE #1 IN UKRAINE
Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
Work at Very Good Security Organize QA Club Lviv Write on Medium About me
To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
It’s about security
A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP 2017 TOP 10
OWASP API Security TOP 10 (end of 2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN) A5: Missing Function/Resource Level Access Control
Even big companies fu*k up: Apple
Even big companies fu*k up: Reddit
How to distinguish?
Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
Authentication (AuthN)
Authentication (AuthN) Is it really you?
Boring theory Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
AuthN spectrum
AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
AuthN factors
MFA (Multi-factor authentication) Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are)
MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification => avoid it!
MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification Reddit issue
Biometric AuthN
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Single Sign-On (SSO) Log in with a single ID and password to gain access to any of several related systems - reduces password fatigue - reduces IT costs - less time spent re-entering passwords - mitigates risk for access to 3rd-party sites
AuthN security
OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
Authorization (AuthZ)
Authorization (AuthZ) Who you are and what you can do
Authorization Authorization is the function of specifying access rights/ privileges to resources, which is related to information security and computer security in general and to access control in particular.
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
AuthZ methods Access Control lists (ACL) Access controls of URLs Secure objects and methods
Access control mechanisms ● Attribute-based access control (ABAC) ● Role-based access control (RBAC) ● User-based access control (UBAC) ● Context-based access control (CBAC) ● Rule-based access control ● Time-based access control ...and a lot more
RBAC
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
OAuth 2.0
OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service
OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Trust on first use (TOFU) principle Enter credentials and permissions once Assume correct for future requests May expire over time or user logging May apply across apps
Different levels of trust Whitelist Internal parties Known business partners Customer organizations Trust frameworks ● Centralized protocol ● Traditional policy management Graylist Unknown entities Trust on first use ● End user decisions ● Extensive auditing and logging ● Rules on when to move to the white or black lists Blacklist Known bad parties Attack sites ● Centralized protocol ● Traditional policy management
Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Tokens Bearer token - anyone who carries the token has the right to use it.
Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
OAuth 2.0 and AuthN OAuth doesn’t dictate the AuthN technology, and AuthZ server is free to choose any method. The user authentication passes directly between the user (and their browser) and the AuthZ server; it’s never seen by the client application.
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
AuthZ security
OAuth 2.0 Security A client needs to manage securing only its own client credentials and the user’s tokens. And the breach of a single client would be bad but limited in its damage to the users of that client.
OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References
Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
AuthZ + AuthN = IAM (Identity and Access Management)
Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Core Information and PII from Transactional Data - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
Practice time!
Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Conclusions
Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма
Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
Practice before the next interview
Testing challenges http://testingchallenges.thetestingmap.org/index.php
Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/
Thanks! @diana_pinchuk @pinchuk.diana

More Related Content

DOCX
Sigmund Freud's 'New Introductory Lectures on Psychoanalysis (1932-33)'
Shiva Kumar Srinivasan
 
PDF
Headspace Company Presentation (redo)
Nishant Patel
 
PPS
Lesson 31
Imran Khan
 
PDF
Headspace Company Presentation
Sophia193014
 
PPT
Person Centered Therapy
School Psychology
 
PPSX
Person-Centered Therapy
Caryn Morgan, MAEd AET
 
PDF
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
PPTX
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
Sigmund Freud's 'New Introductory Lectures on Psychoanalysis (1932-33)'
Shiva Kumar Srinivasan
 
Headspace Company Presentation (redo)
Nishant Patel
 
Lesson 31
Imran Khan
 
Headspace Company Presentation
Sophia193014
 
Person Centered Therapy
School Psychology
 
Person-Centered Therapy
Caryn Morgan, MAEd AET
 
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 

Similar to QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма (20)

PDF
Authentication vs Authorization: Understanding the Key Differences
Kevin Mathew
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
PDF
Auth experience - vol 1.0
Haggai Philip Zagury
 
PPTX
Codemash-2017
Kevin Cody
 
PDF
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
Mehdi Medjaoui
 
PDF
OAuth Base Camp
Oliver Pfaff
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
PPTX
AbedElilahElmahmoumP1.pptx
AbedElElahElMHMOOM
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PPTX
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
PPTX
Webinar: Goodbye RSA. Hello Modern Authentication.
SecureAuth
 
PPTX
OAuth 2
ChrisWood262
 
PPTX
Access management
Venkatesh Jambulingam
 
PDF
2020-08_The_Evolution_of_Authentication.pdf
FerriantoSuryanto
 
PDF
Centralise legacy auth at the ingress gateway
Andrew Kirkpatrick
 
PPTX
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
PPTX
OAuth
Adi Challa
 
PPTX
Identiverse 2019 Security Key Lifecycle
derekhanson13
 
Authentication vs Authorization: Understanding the Key Differences
Kevin Mathew
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
Auth experience - vol 1.0
Haggai Philip Zagury
 
Codemash-2017
Kevin Cody
 
OAuth with OAuth.io : solving the OAuth Fragmentation for Identity Management...
Mehdi Medjaoui
 
OAuth Base Camp
Oliver Pfaff
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
AbedElilahElmahmoumP1.pptx
AbedElElahElMHMOOM
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
 
Securing Web Applications with Token Authentication
Stormpath
 
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
Webinar: Goodbye RSA. Hello Modern Authentication.
SecureAuth
 
OAuth 2
ChrisWood262
 
Access management
Venkatesh Jambulingam
 
2020-08_The_Evolution_of_Authentication.pdf
FerriantoSuryanto
 
Centralise legacy auth at the ingress gateway
Andrew Kirkpatrick
 
Introduction to Web Application Security Principles
Dr. P. Mohana Priya
 
OAuth
Adi Challa
 
Identiverse 2019 Security Key Lifecycle
derekhanson13
 
Ad

More from QAFest (20)

PDF
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QAFest
 
PPTX
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QAFest
 
PPTX
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QAFest
 
PDF
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QAFest
 
PDF
QA Fest 2019. Никита Галкин. Как зарабатывать больше
QAFest
 
PDF
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
QAFest
 
PDF
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QAFest
 
PPTX
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QAFest
 
PPTX
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QAFest
 
PDF
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QAFest
 
PPTX
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QAFest
 
PDF
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QAFest
 
PPTX
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QAFest
 
PDF
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QAFest
 
PDF
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QAFest
 
PDF
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QAFest
 
PPTX
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QAFest
 
PPTX
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QAFest
 
PDF
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QAFest
 
PPTX
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QAFest
 
QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин
QAFest
 
QA Fest 2019. Анна Чернышова. Self-healing test automation 2.0. The Future
QAFest
 
QA Fest 2019. Doug Sillars. It's just too Slow: Testing Mobile application pe...
QAFest
 
QA Fest 2019. Катерина Спринсян. Параллельное покрытие автотестами и другие и...
QAFest
 
QA Fest 2019. Никита Галкин. Как зарабатывать больше
QAFest
 
QA Fest 2019. Сергей Пирогов. Why everything is spoiled
QAFest
 
QA Fest 2019. Сергей Новик. Между мотивацией и выгоранием
QAFest
 
QA Fest 2019. Владимир Никонов. Код Шредингера или зачем и как мы тестируем н...
QAFest
 
QA Fest 2019. Владимир Трандафилов. GUI automation of WEB application with SV...
QAFest
 
QA Fest 2019. Иван Крутов. Bulletproof Selenium Cluster
QAFest
 
QA Fest 2019. Николай Мижигурский. Миссия /*не*/выполнима: гуманитарий собесе...
QAFest
 
QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...
QAFest
 
QA Fest 2019. Дмитрий Прокопук. Mocks and network tricks in UI automation
QAFest
 
QA Fest 2019. Екатерина Дядечко. Тестирование медицинского софта — вызовы и в...
QAFest
 
QA Fest 2019. Катерина Черникова. Tune your P’s: the pop-art of keeping testa...
QAFest
 
QA Fest 2019. Алиса Бойко. Какнезапутаться в коммуникативных сетях IT
QAFest
 
QA Fest 2019. Святослав Логин. Как найти уязвимости в мобильном приложении
QAFest
 
QA Fest 2019. Катерина Шепелєва та Інна Оснач. Що українцям потрібно знати пр...
QAFest
 
QA Fest 2019. Антон Серпутько. Нагрузочное тестирование распределенных асинхр...
QAFest
 
QA Fest 2019. Петр Тарасенко. QA Hackathon - The Cookbook 22
QAFest
 
Ad

Recently uploaded (20)

PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
master seminar digital applications in india
ananyaray35
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Lesson notes of climatology university.
sgladness67
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Pre independence Education in Inndia.pdf
goofy5603
 

QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN & AuthZ): это не только логин форма

  • 1. KYIV 2019 AuthN & AuthZ testing: it’s not only about the login form QA CONFERENCE #1 IN UKRAINE
  • 2. Agenda What’s the difference Authentication and its spectrum Authorization and OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz
  • 3. Work at Very Good Security Organize QA Club Lviv Write on Medium About me
  • 4. To stop confusing it It’s everywhere... and probably in your product You were asked to test a login form at an interview Why do we talk about it?
  • 6. A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP 2017 TOP 10
  • 7. OWASP API Security TOP 10 (end of 2019) A1: Broken Object Access Level Control (AuthZ) A2: Broken Authentication (AuthN) A5: Missing Function/Resource Level Access Control
  • 8. Even big companies fu*k up: Apple
  • 9. Even big companies fu*k up: Reddit
  • 11. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  • 12. Boring theory Authentication is the process of ascertaining that somebody really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.
  • 15. Boring theory Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.
  • 17. AuthN spectrum - Passwords - Cookies - Single Sign-On - Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security
  • 19. MFA (Multi-factor authentication) Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are)
  • 20. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification => avoid it!
  • 21. MFA: phone-based methods - Push-based - QR code based - One-time password (OTP) - event-based - time-based - SMS-based verification Reddit issue
  • 25. Single Sign-On (SSO) Log in with a single ID and password to gain access to any of several related systems - reduces password fatigue - reduces IT costs - less time spent re-entering passwords - mitigates risk for access to 3rd-party sites
  • 27. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  • 28. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel 2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10.Weaker authentication in alternative channel
  • 29. Rainbow tables attack Huge databases of precomputed hashes User Password Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff
  • 30. Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit
  • 32. Authorization (AuthZ) Who you are and what you can do
  • 33. Authorization Authorization is the function of specifying access rights/ privileges to resources, which is related to information security and computer security in general and to access control in particular.
  • 35. AuthZ methods Access Control lists (ACL) Access controls of URLs Secure objects and methods
  • 36. Access control mechanisms ● Attribute-based access control (ABAC) ● Role-based access control (RBAC) ● User-based access control (UBAC) ● Context-based access control (CBAC) ● Rule-based access control ● Time-based access control ...and a lot more
  • 37. RBAC
  • 40. OAuth 2.0 It’s an authorization delegation protocol, letting someone who controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service
  • 41. OAuth 2.0 is ...about how to get the token and how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
  • 43. Trust on first use (TOFU) principle Enter credentials and permissions once Assume correct for future requests May expire over time or user logging May apply across apps
  • 44. Different levels of trust Whitelist Internal parties Known business partners Customer organizations Trust frameworks ● Centralized protocol ● Traditional policy management Graylist Unknown entities Trust on first use ● End user decisions ● Extensive auditing and logging ● Rules on when to move to the white or black lists Blacklist Known bad parties Attack sites ● Centralized protocol ● Traditional policy management
  • 45. Tokens Access token - indicates the rights that the client has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
  • 47. Tokens Bearer token - anyone who carries the token has the right to use it.
  • 48. Scopes A set of rights at the protected resource. Scopes always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
  • 49. OAuth 2.0 and AuthN OAuth doesn’t dictate the AuthN technology, and AuthZ server is free to choose any method. The user authentication passes directly between the user (and their browser) and the AuthZ server; it’s never seen by the client application.
  • 52. OAuth 2.0 Security A client needs to manage securing only its own client credentials and the user’s tokens. And the breach of a single client would be bad but limited in its damage to the users of that client.
  • 53. OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization Schema 3. Privilege escalation 4. Insecure Direct Object References
  • 54. Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt
  • 55. AuthZ + AuthN = IAM (Identity and Access Management)
  • 56. Access Management Authentication ● Single Sign-On ● Session Management ● Password Service ● Strong Authentication Authorization ● Role-Based ● Rule-Based ● Attribute-Based ● Remote Authorization User Management ● Delegated Administration ● User and Role Management ● Provisioning ● Password Management ● Self Service Central User Repository ● Directory ● Data Synchronization ● Meta Directory ● Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time
  • 57. IAM best practices - Immutable Private Identifiers / Mutable Public Identifiers - Decouple Core Information and PII from Transactional Data - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2
  • 59. Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html
  • 63. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you are and what you can do
  • 65. Conclusions For better understanding dig into system Use heuristics to remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today
  • 66. Practice before the next interview
  • 68. Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/