the shepherd project
play

The Shepherd Project Automated security audits of web login - PowerPoint PPT Presentation

Sep 07, 2023 •180 likes •565 views

The Shepherd Project Automated security audits of web login processes Benjamin Krumnow Employee at the TH Kln External PhD student (50%) at the OU (~2 years) H. Jonker, M. Van Eekelen, H. Vranken, S. Karsch Joined the

  1. The Shepherd Project — Automated security audits of web login processes

  2. Benjamin Krumnow • Employee at the TH Köln • External PhD student (50%) at the OU (~2 years) • H. Jonker, M. Van Eekelen, H. Vranken, S. Karsch • Joined the Shepherd project in Feb/ Mar 2017 • Karate, surfing, hiking & caving • Vegetarian • Fascinated by information security and privacy Benjamin Krumnow 27 th March 2018 2

  3. Project Members Marc Sleegers Hugo Jonker • Initial Project • Supervision in “Shepherd” [1] all projects • B.Sc. in 2017 Jelmer Kalkman Alan Verresen • Bachelor project • Bachelor project • Single Sign On • Single Sign On and refactoring and refactoring Benjamin Krumnow 27 th March 2018 3

  4. Background: Login Process Benjamin Krumnow 27 th March 2018 4

  5. Background: Login Process request/response credentials session cookies User Agent Server (Browser) request (session cookies) response … Benjamin Krumnow 27 th March 2018 5

  6. Motivation: Firesheep 2010 [2] • Login process via an unencrypted channel • session can be hijacked or accounts stolen Traffic Local (Wifi) outside network world Wifi User WiFi (Router) Web Server Alice Benjamin Krumnow 27 th March 2018 6

  7. Motivation: Firesheep 2010 [2] • Login process via an unencrypted channel • session can be hijacked or accounts stolen • Automated capturing of session cookies • Hijacking sessions by a “click” • Popular services like Facebook, Google and co. fixed this issue! Unencrypted or weak encryption Wifi User Web Server WiFi (Router) Alice Firesheep User Benjamin Krumnow 27 th March 2018 7

  8. It’s 2018! What has changed since then? • Encryption • Browser extensions and developments (Cookie flags, HSTS, HKPK) • New possible login mechanisms (Single-Sign-On, HTTP bearer tokens) HTTPS WPA & WPA2 Wifi Wifi User Web Server WiFi (Router) Alice Firesheep User Benjamin Krumnow 27 th March 2018 8

  9. Research questions: How much have login process security measures been adapted? Benjamin Krumnow 27 th March 2018 9

  10. How much have login process security measures been adapted? 1. Are these vulnerabilities still valid? —> Evaluate session stealing attacks in a lab and in the wild —> Evaluate attacks on Single-Sign-On based sessions Benjamin Krumnow 27 th March 2018 10

  11. Evaluation of vulnerabilities • Three kinds of vulnerabilities evaluated in a lab credentials session cookies User 1. All over HTTP -> Leaks even Server Agent request (session cookies) credentials response credentials session cookies 2. HTTPS for the login and fallback User Server Agent to HTTP afterwards request (session cookies) response credentials session cookies 3. All over HTTPS, but misses the User Server secure flag. Single HTTP Agent request (session cookies) request sufficient for attack response Benjamin Krumnow 27 th March 2018 11

  12. Automatic attack Regular traffic 1. Become a MITM on the network layer Wifi User WiFi (Router) Web Server Alice • ARP spoofing attack to re-route I am your gateway! traffic (IPv4 only!) • Modify package IP addresses Attacker Eve • See [10] for more MITM attacks 2. CSRF attack with modifying HTML Wifi User WiFi (Router) Web Server sent over HTTP Alice • Injecting elements in HTTP response within a HTML body Attacker Eve • (Capture cookies) <link type=“text/css” href=“ http :/ /target_url/style.css”> Benjamin Krumnow 27 th March 2018 12

  13. Does that work for Single-Sign-On Benjamin Krumnow 27 th March 2018 13

  14. Attacking Sessions established with OAuth • Example OAuth flow Authorisation Request User Agent Authorisation Grant (User) Authorisation Grant cute.animals.com Access Token (Service provider) Facebook (Ressource/Authorisation Access Token Server) Protected Resource Benjamin Krumnow 27 th March 2018 14

  15. How much have login process security measures been adapted? Benjamin Krumnow 27 th March 2018 15

  16. How much have login process security measures been adapted? 1. Are the vulnerabilities still valid? —> Evaluate session stealing attacks in a lab and in the wild —> Evaluate attacks on Single-Sign-On based sessions 2. How many sites are still vulnerable to such attacks? • We need to look at the cookies • Analysing websites with Single-Sign-On logins for “ homegrown ” sessions —> Build a scanner for websites to search for possible session attacks Benjamin Krumnow 27 th March 2018 16

  17. Scanning the web for login process security Benjamin Krumnow 27 th March 2018 17

  18. The scanner at a glance Preparation stage Login stage Deduction stage Identify auth Find login pages Collect websites cookies Execute security Attempt to login Acquire Credentials scans Verify login Benjamin Krumnow 27 th March 2018 18

  19. Preparation stage • Alexa Top 1 Million web sites Collect websites • BugMeNot (BMN) - Service user-generated credentials • Single-Sign-On (SSO) credentials Acquire Credentials • Importance: Unique criteria and study is not biased by relying on the BMN database Benjamin Krumnow 27 th March 2018 19

  20. Login stage 1. Traverse web sites Find login pages • Assumption: login page is reachable from landing page • Landing page, urls, clickable elements, brute Attempt to login force, urls 2nd level 2. Coverage of 4 login types Verify login Benjamin Krumnow 27 th March 2018 20

  21. Login stage 3. Verify successful logins Find login pages • Disappearing of the password field • Getting blocked, account is restricted, captchas, page switch Attempt to login • Presence of account details, keyword “logout” or login area Verify login Benjamin Krumnow 27 th March 2018 21

  22. Deduction stage • Finding authentication cookies Identify auth cookies • Working verification function necessary • Eliminate cookies, which do not contribute to the login Execute security scans • Previous work as solution Mundada et al. (2016) and Calzavara et al. (2014) [7,8] • Large search space, because any subset is possible (2 n , exponential in n) • Fast reduction by removing supersets of A and all subsets (power set) of ¬ A B is a superset of A (B ⊇ A)[6] Benjamin Krumnow 27 th March 2018 22

  23. Deduction stage • Execute security scans Identify auth cookies • Cookie Flags: SameOrigin, Secure, HTTPOnly • HSTS and HKPK detection • Cookie fixation Execute security scans Benjamin Krumnow 27 th March 2018 23

  24. Performing the study

  25. The study 1. Build credential pool for logging in 1.1. Creating fake Single Sign On (SSO) accounts 1.2. Source credentials from BugMeNot with a static scanner 
 2. Scanning with a dynamic scanner (Selenium) 2.1.~65K domains with BugMeNot credentials 2.2. Alexa top 1 Million with SSO credentials Benjamin Krumnow 27 th March 2018 25

  26. Overview BugMeNot Sourcing Alexa 1 M (late Feb) Sites with credentials within in the Alexa 1M 18,352 < 100k • No. of credentials: 131,034 • No. of sites : 50,840 8,154 < 200k • refresh before scan 6,433 < 300k • No credentials for : ~949K 4,423 < 400k • Errors : 222 • Error 404 - Bug 3,464 < 500k 2,584 < 600k 2,326 < 700k 1,912 < 800k 1,804 < 900k 1,388 < 1M 0 5000 10000 15000 20000 Benjamin Krumnow 27 th March 2018 26

  27. BugMeNot: old vs new set Previous results (late Oct): • Fresh Alexa Top 1M dataset • gave us ~59K domains vs. ~50K • 14,888 domains were missing in the new set • 6,118 new sites • Overall: 65,728 domains Benjamin Krumnow 27 th March 2018 27

  28. Scanning

  29. Runtime performance • 2 Servers, 5 browser instances each: ~7.500 sites per machine a day • Average scanning time: 61 seconds • Average performance to find session cookies • Duration: 51 seconds • Executions: 11,7 ( ∅ 8 cookies) • Session cookies found: 1,5 • SSO scanner still under development: • Currently limited to Facebook • Today: Early results with 500 websites • Goal before the conference 100K Benjamin Krumnow 27 th March 2018 29

  30. Performance of the scanner BMN 
 SSO 
 Procedure % % 65728 ~300 Login page 38421 58% 79 26% detected 61K: 18% Authenticated 11445 35 44% 38K: 29% LP: 4790 41% 
 7 20% Verified LA: 5858 51% Session cookies 6378 (7105) 89% - - found 4449 6% - - Failed scans Captchas 2341 3% - - Benjamin Krumnow 27 th March 2018 30

  31. Security Results BMN Deducted Detection % % 11445 (6379) HSTS 1 12% 5521 77% 1416 Header HKPK 2 76 0,6% 43 0,6% No 0 0% 0 0% SameSite Cookies 
 No secure 6086 (214) 53% 2693 (50) 42% Flags (but HSTS) No 4907 42% 2639 41% HTTPOnly Cookies Fixation 736 6,4% 175 2,7% 1) HTTP Strict Transport Security 2) HTTP Public Key Pinning Benjamin Krumnow 27 th March 2018 31

  32. False-Positive and False- Negatives • Chances for False-Positives and False-Negatives • Login page found, login success, verifying • Websites with credentials but no login • Password fields can disappear • Simple usernames • Checking False-Positive • Reproducing runs is time consuming • Storage of pictures (Disk space, visible signs) • Current solution: Confidence level Benjamin Krumnow 27 th March 2018 32

Recommend

PRESENTATION AND PRELIMINARY APPROVAL RESIDENCE HALL PROJECT Introduction In 2014 Shepherd

PRESENTATION AND PRELIMINARY APPROVAL RESIDENCE HALL PROJECT Introduction In 2014 Shepherd

Shepherd University Board of Governors December 3, 2015 Agenda Item No. 6 PRESENTATION AND PRELIMINARY APPROVAL RESIDENCE HALL PROJECT Introduction In 2014 Shepherd University updated its Campus Master Plan in response to the State of West

462 views • 6 slides
Welcome! Thank you for joining us today! Streaming Live Soon at 9 AM Good Shepherd Sunday

Welcome! Thank you for joining us today! Streaming Live Soon at 9 AM Good Shepherd Sunday

Welcome! Thank you for joining us today! Streaming Live Soon at 9 AM Good Shepherd Sunday Online Service Opening Hymn My Shepherd Will Supply My Need | CW 374 My shepherd will supply my need Jehovah is his name. In pastures fresh he makes

857 views • 64 slides
John 10: 11-16 11 I am the good shepherd: the good shepherd giveth his life for the sheep. 12 But

John 10: 11-16 11 I am the good shepherd: the good shepherd giveth his life for the sheep. 12 But

John 10: 11-16 11 I am the good shepherd: the good shepherd giveth his life for the sheep. 12 But he that is an hireling, and not the shepherd, whose own the sheep are not, seeth the wolf coming, and leaveth the sheep, and fleeth: and the wolf

282 views • 10 slides
shepherd Dedicated Trusted Risk taker Respected Trevor Shepherd Warm Leadership Pastoral

shepherd Dedicated Trusted Risk taker Respected Trevor Shepherd Warm Leadership Pastoral

Evangelist Pastoral shepherd Dedicated Trusted Risk taker Respected Trevor Shepherd Warm Leadership Pastoral Rural Methodist All rounder Sincere Edward (Ted) Baker Reader Lay preacher Loving Thinker Committed Business woman

620 views • 25 slides
By: Good Shepherd Services Good Shepherd Services Statement of Purpose We are a faith based care

By: Good Shepherd Services Good Shepherd Services Statement of Purpose We are a faith based care

By: Good Shepherd Services Good Shepherd Services Statement of Purpose We are a faith based care community dedicated to serving those entrusted to us with dignity, respect and compassion, in a safe and cheerful environment. Our goal is to

389 views • 13 slides
Pyrenean Shepherd Rough-Faced Smooth-Faced Pyrenean Shepherd

Pyrenean Shepherd Rough-Faced Smooth-Faced Pyrenean Shepherd

Pyrenean Shepherd Rough-Faced Smooth-Faced Pyrenean Shepherd Pyrenean Shepherd Pyrenees Mountains Pyrenean Shepherd Pyrenees Mountains Pyrenean Shepherd Pyrenees Mountains Pyrenean Shepherd Ossau-Iraty

446 views • 43 slides
SHEPHERD UNIVERSITY WELLNESS CENTER Lisha A Brown| Lighting + Electrical AE Senior Thesis |

SHEPHERD UNIVERSITY WELLNESS CENTER Lisha A Brown| Lighting + Electrical AE Senior Thesis |

SHEPHERD UNIVERSITY WELLNESS CENTER Lisha A Brown| Lighting + Electrical AE Senior Thesis | April 13, 2011 PROJECT OVERVIEW OUTLINE INTRODUCTION LOCATION SHEPHERDSTOWN, WEST VIRGINIA PROJECT OVERVIEW SCOPE OF RE-DESIGN OCCUPANT FITNESS

1.23k views • 40 slides
Scoring Criteria: What (NIH) Grant Reviewers Look For in a Proposal Jason Shepherd , Ph.D.

Scoring Criteria: What (NIH) Grant Reviewers Look For in a Proposal Jason Shepherd , Ph.D.

Scoring Criteria: What (NIH) Grant Reviewers Look For in a Proposal Jason Shepherd , Ph.D. Department of Neurobiology and Anatomy Jason.Shepherd@neuro.Utah.edu July 17th, 2019 NIH Funding Decisions The NIH utilizes 2 stages of review when

1.65k views • 27 slides
INSERT SHEPHERD VIDEO Truly, truly, I say to you, he who does not enter the sheepfold by

INSERT SHEPHERD VIDEO Truly, truly, I say to you, he who does not enter the sheepfold by

INSERT SHEPHERD VIDEO Truly, truly, I say to you, he who does not enter the sheepfold by the door but climbs in by another way, that man is a thief and a robber. 2 But he who enters by the door is the shepherd of the sheep. 3 To him the

747 views • 26 slides
! ! ! SHEPHERD PARK COMMUNITY CENTER ! ! Community Meeting ! May 23, 2019 ! AGENDA 1. !

! ! ! SHEPHERD PARK COMMUNITY CENTER ! ! Community Meeting ! May 23, 2019 ! AGENDA 1. !

! ! ! ! SHEPHERD PARK COMMUNITY CENTER ! ! Community Meeting ! May 23, 2019 ! AGENDA 1. ! Welcome + Introductions 2. ! Project Overview 3. ! Design Presentation 4. ! School v. Community Use 5. ! Construction Impact Plan 6. !

233 views • 21 slides
J. The Good Shepherd John 10:1 21 1. Old Testament background is needed to correctly

J. The Good Shepherd John 10:1 21 1. Old Testament background is needed to correctly

J. The Good Shepherd John 10:1 21 1. Old Testament background is needed to correctly interpret John 10. a. This first use of shepherding in Johns Gospel reflected the Shepherd/ sheep analogy of the Old Testament. Psalm 23:1, 79:13, 80:1,

1.28k views • 23 slides
Shepherd Neame Ltd AGM 2014 Miles Templeman Chairman 2014: Building a strong platform for the

Shepherd Neame Ltd AGM 2014 Miles Templeman Chairman 2014: Building a strong platform for the

BY APPOINTMENT TO: HIS ROYAL HIGHNESS THE PRINCE OF WALES SUPPLIER OF SPECIALIST ORDERS SHEPHERD NEAME LTD FAVERSHAM KENT Shepherd Neame Ltd AGM 2014 Miles Templeman Chairman 2014: Building a strong platform for the business to grow and

728 views • 47 slides
Building GoDaddy.coms Compute Cloud - Darren Shepherd, OSCON 2012 About Me Darren

Building GoDaddy.coms Compute Cloud - Darren Shepherd, OSCON 2012 About Me Darren

Building GoDaddy.coms Compute Cloud - Darren Shepherd, OSCON 2012 About Me Darren Shepherd Long time Linux user (since 1998?) Absolutely love Xen and Virtualization Happen to program Java Working for GoDaddy.com for about 2

365 views • 21 slides
SID-Bay Area Meeting: Display Week 2013 Recap Clay Shepherd Sr. Principal Analyst IHS

SID-Bay Area Meeting: Display Week 2013 Recap Clay Shepherd Sr. Principal Analyst IHS

SID-Bay Area Meeting: Display Week 2013 Recap Clay Shepherd Sr. Principal Analyst IHS Electronics &amp; Media clay.shepherd@ihs.com June 19 th , 2013 About IHS (www.ihs.com) IHS (NYSE: IHS) is the leading source of information and insight

398 views • 22 slides
Shepherding Nurturing Others: Part 1 Psalm 23 The L ORD is my shepherd; I shall not want. He

Shepherding Nurturing Others: Part 1 Psalm 23 The L ORD is my shepherd; I shall not want. He

Week 4 Shepherding Nurturing Others: Part 1 Psalm 23 The L ORD is my shepherd; I shall not want. He makes me lie down in green pastures. He leads me beside still waters. He restores my soul. He leads me in paths of righteousness for his

534 views • 27 slides
Mickey Friedrich Campus Shepherd it seemed good to me also, having followed all things

Mickey Friedrich Campus Shepherd it seemed good to me also, having followed all things

Mickey Friedrich Campus Shepherd it seemed good to me also, having followed all things closely for some time past, to write an orderly account for you, most excellent Theophilus, that you may have certainty concerning the things you have

342 views • 11 slides
The Lord is My Shepherd So many of us have trusted the Lord to save us from the fires of

The Lord is My Shepherd So many of us have trusted the Lord to save us from the fires of

10/3/2017 The Lord is My Shepherd So many of us have trusted the Lord to save us from the fires of hell, yet we are not sure he can safely bring us home. We know he will take us to heaven, but we are not sure he will take care of us

320 views • 12 slides
1 PSALMS 23 2 Psalm 23:1-6 A Psalm of David. The LORD is my shepherd; I shall not want. He

1 PSALMS 23 2 Psalm 23:1-6 A Psalm of David. The LORD is my shepherd; I shall not want. He

1 PSALMS 23 2 Psalm 23:1-6 A Psalm of David. The LORD is my shepherd; I shall not want. He maketh me to lie down in green pastures: he leadeth me beside the still waters. He restoreth my soul: he leadeth me in the paths of righteousness for

871 views • 70 slides
MANAGEMENT OF NON- COELIAC GLUTEN SENSITIVITY Dr Sue Shepherd B.App.Sci. (Health Promotion), M.

MANAGEMENT OF NON- COELIAC GLUTEN SENSITIVITY Dr Sue Shepherd B.App.Sci. (Health Promotion), M.

MANAGEMENT OF NON- COELIAC GLUTEN SENSITIVITY Dr Sue Shepherd B.App.Sci. (Health Promotion), M. Nut &amp; Diet., PhD. Advanced Accredited Practising Dietitian REPRESENTATIONS AND AFFILIATIONS DISCLOSURE Author of Cookbooks for Coeliac

546 views • 44 slides
The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions Carlton Shepherd ,

The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions Carlton Shepherd ,

The Applicability of Ambient Sensors as Proximity Evidence for NFC Transactions Carlton Shepherd , Iakovos Gurulian, Eibe Frank * , Konstantinos Markantonakis, Raja N. Akram, Emmanouil Panaousis , Keith Mayes Information Security Group, Royal

590 views • 24 slides
Isaiah 40:9-31 By Jared Pratico 1. Behold the Warrior Shepherd (vv. 9-11) 1. Behold the Warrior

Isaiah 40:9-31 By Jared Pratico 1. Behold the Warrior Shepherd (vv. 9-11) 1. Behold the Warrior

Isaiah 40:9-31 By Jared Pratico 1. Behold the Warrior Shepherd (vv. 9-11) 1. Behold the Warrior Shepherd (vv. 9-11) 2. Behold the Incomparable Creator (vv. 12- 26) 1. Behold the Warrior Shepherd (vv. 9-11) 2. Behold the Incomparable Creator (vv.

241 views • 9 slides
SHEPHERD PARK COMMUNITY CENTER DISCUSSION AUGUST 20, 2020 RULES OF THE ROAD 2 Please keep

SHEPHERD PARK COMMUNITY CENTER DISCUSSION AUGUST 20, 2020 RULES OF THE ROAD 2 Please keep

SHEPHERD PARK COMMUNITY CENTER DISCUSSION AUGUST 20, 2020 RULES OF THE ROAD 2 Please keep your microphone on mute during the presentation. Please use the chat feature to ask questions or provide comments which will be addressed after

547 views • 23 slides
Enough is enough? Setting aside a judgment for fraud Neil Hext QC and Tom Shepherd LSLA

Enough is enough? Setting aside a judgment for fraud Neil Hext QC and Tom Shepherd LSLA

Enough is enough? Setting aside a judgment for fraud Neil Hext QC and Tom Shepherd LSLA Summer/Autumn Lecture Series 2019 5 September 2019 Introduction Takhar v Gracefield : does an applicant to set aside a judgment obtained by fraud

235 views • 20 slides
Galatians Grace, Faith, &amp; Freedom John A. Beck, Ph.D. For Shepherd of the Hills Lutheran

Galatians Grace, Faith, &amp; Freedom John A. Beck, Ph.D. For Shepherd of the Hills Lutheran

Galatians Grace, Faith, &amp; Freedom John A. Beck, Ph.D. For Shepherd of the Hills Lutheran Church November 2020 Enable independent reading and understanding of Galatians By shining a spotlight on its primary subject the gospel

849 views • 49 slides

More recommend