Table of Contents Introduction � Hacking Web Sites Examples of Attacks � Broken Authentication Brute Force Session Spotting Emmanuel Benoist Session Fixation Attack Session Hijacking Fall Term 2020/2021 Session Expiration Protection � Conclusion � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1 2 Broken Authentication Account credentials and sessions tokens are often not properly protected A third party can access to one’s account Attacker compromise password, keys or authentication token Introduction Risks Undermine authorization and accountability controls cause privacy violation Identity Theft Method of attack: use weaknesses in authentication mechanism Logout Password Management Timeout Remember me . . . Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3 4
Examples of Attacks Brute Force Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5 6 Brute Force Attack Brute Force Attack (Cont.) Automated process of trial and error Guess a person username and password, credit-card number, Normal Brute Force cryptographic key, . . . For one username, System sends a value and waits for the response, then tries Attacker tests many passwords another value, and so on. Username = Emmanuel Often done off-line with extracts of the DataBase Passwords = 1234567, qwertz, asdfgh, abcd, .... Can be done on-line on unprotected sites [pet names], [birthdays], [car names], [dictionary]... Many systems allow the use of weak passwords An attacker will cycle through a dictionary (word by word) Lists of known passwords can be found Generates thousands (potentially millions) of incorrect guesses Connection Username - Password (or hashed passwords) on When the guessed password is OK, attacker can access the the Darknet account! Lists of passwords (without usernames) Same technic can be used to guess encryption keys https://github.com/danielmiessler/SecLists/tree/ When the size of the key is small, master/Passwords An attacker will test all possible keys Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7 8
Brute Force Attack (Cont.) Normal Brute Force For one username, Attacker tests many passwords Session Spotting Username = Emmanuel Passwords = 1234567, qwertz, asdfgh, abcd, .... [pet names], [birthdays], [car names], [dictionary]... Lists of known passwords can be found Connection Username - Password (or hashed passwords) on the Darknet Lists of passwords (without usernames) https://github.com/danielmiessler/SecLists/tree/ master/Passwords Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9 10 Session Spotting Unsecure cookies Attacker has the possibility to listen to the traffic of the Attacker has the possibility to listen to the traffic of the victim victim Listens to the traffic at the IP level (sniffer). Client connects to the HTTPS server Listens to the traffic at the IP level (sniffer) https://www.mybank.com Only the login page is secure, the rest of the application is not Client receives a cookie containing the session ID. encrypted. This cookie is resent each time the browser accesses this site. Client connects to the server http://www.mysite.com The cookie is linked to an active session on the secure server. Visits a page containing a login form (url is HTTPS) Victim visits a page on the unsecure web site Receives a cookie containing his session ID http://www.mybank.com Sends his credentials encrypted (HTTPS) For seeing some advertisement for instance. Attacker receives following information The cookie (if not “secure”) will be sent unencrypted to the Session ID server. Sees that the user has sent his credentials (using an encrypted Attacker can see the sessionID connection to the server) Attacker can impersonate the victim Solution: Attacker can use the cookie to be recognized as the Use only secure cookies (set the bit secure on) legitimate user! Do not reuse existing cookies. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11 12
Unsecure cookies Attacker can run a XSS attack Session Fixation Attack Victim will execute JavaScript inside the browser JS will read the cookie JS will send this cookie to another server Solution Session cookies should be in http header only (no JavaScript) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13 14 Session Fixation Attack Session Fixation attack (Cont.) Attacker creates a session on a web site Sends a Request, Get a Response containing a cookie Victim clicks on the given link (SESSION ID=1234abcd5678) <a href="https://www.ebanking.com/?SESSION_ID=1234abcd"> Attacker needs to maintain this session alive (send requests regularly) Browser sends automatically the SessionID within the request Attacker sends this Session ID to the victim Session 1234abcd is used by the victim Can be included in a phishing. Victim logs in, He sends an email containing the reference to the following The session is valid. URL : https: When the attacker checks the session he/she receives //www.ebanking.com/?page=...&SESSION_ID=1234abcd . the rights of the victim! Can be a link: <a href="https://www.ebanking.com/?SESSION_ID=1234abcd"> Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15 16
Session Fixation Attack (Cont.) Session Hijacking Do not accept preset or invalid session identifiers It is the door for Session Fixation Attack Reset the SessionID when a login occurs Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17 18 Session Hijacking Session Hijacking: Example Many web sites generate session ID with proprietary Credential/Session Prediction algorithms Attackers deduce or guess the session id Increment static numbers Can be more complicated (factoring in time and other Attackers can use the web site with victim’s privileges computer specific variables) Rights are stored in a session, only the session id is used Session ID is sent to the client to link the browser and its session An attack can be: HTTP is session-less Information is not resent in each request Attacker connects to the web site and gets a session ID Attacker calculates or Brute Forces the next session ID Guessing the Session ID permits to be the user Attacker switches the value of the cookie and assumes the identity of the next user! Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19 20
Recommend
More recommend