Broken Authentication & Session Management. What is it ? Bad implementation of authentication...

Preview:

Click to see full reader

Citation preview

Broken Authentication &

Session Management

What is it ?

• Bad implementation of authentication and session management.

• If an attacker can get your session ID, then they can steal your session

• Could happen over unsafe medium.

• Could happen if an attacker can get your password.

Broken Authentication and Session Management - Vulnerabilities

• Password not hashed.

• Weak Password recovery method .

• Exposed Session-Ids’.

• Long session timeout.

• Improper rotation of session-ids’ after logout.

• Sending session-ids’ , passwords over unencrypted connections.

Session Fixation Attack

Broken Authentication and Session Management - Prevention

• Always use https for any authenticated URLs.

• If storing credentials in a database, store them encrypted or hashed.

• Set session timeouts to as low as possible to reduce the risk of exposure to someone who forgets to log out at a public terminal.

• Try to store SessionIds in cookies

• Invalidate session properly

Thank You

Recommended

Web Authentication and Session Management
Documents
Authentication scheme for session password using Images and color
Technology
1 Confidential Authentication Session Hannes Tschofenig
Documents
Authentication Session Hannes Tschofenig
Documents
[MS-SIP]: Session Initiation Protocol Extensions... · [MS-SIP]: Session Initiation Protocol Extensions ... authentication
Documents
Session 13888 WebSphere MQ Channel Authentication Records · 2013. 8. 12. · Session 13888 WebSphere MQ Channel Authentication Records Morag Hughson -hughson@uk.ibm.com N O T E S
Documents
Session Hijacking… · Overview of Session Hijacking Session hijacking refers to the exploitation of a valid com puter session where an attacker takes over a session between two
Documents
Internet Services & Protocols Internet (In)Security (In)Security Dresden, July 10 2006. ... no authentication of IP addresses – Objective: ... – Attacker can obtain both by sniffing
Documents
Session Hijacking - Armstrong State Universitycs.armstrong.edu/rasheed/ITEC4300/Slides15.pdf · • Define session hijacking ... – So that the session authentication takes place
Documents
Session Fixation OWASP Attack sketch Attacker sets victim’s session ID instead of session ID theft Victim authenticates using attacker provided session ID Attacker resumes authenticated
Documents
Analysis of an RFID Authentication Protocol in Accordance ... · Tag impersonation attack occurs when an attacker is between a reader and tags, and the attacker tries to impersonate
Documents
2.0 RELEASE - OWASP Creative Commons (CC) ... Broken Authentication And Session Management A2 Broken Authentication ... 5.6.1 What to Review:
Documents
Cisco Systems 5508 Wireless LAN Controller · PDF fileRADIUS IKE session encryption key, IKE session authentication key, IPSec session encryption key, IPSec session authentication
Documents
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on … · –TLS: 8 Byte / 64 Bit nonce •Joux (2006): Nonce reuse allows an attacker to recover the authentication key
Documents
E-Authentication Overview & Technical Approach Scott Lowery Technical Track Session
Documents
BehavioCog: An Observation Resistant Authentication Scheme · The attacker has to correctly guess the cognitive response and correctly mimic the target user’s gesture. We now see
Documents
Michel Tepper Consultant Westcon Security RSA Authentication Manager Express Technical Session
Documents
Secure Authentication and Session Management in Java EE
Technology
Attacker Economics - F5
Documents
18 a3 broken authentication and session management.pptx
Technology