OWASP

Course
Time
4 hours 32 minutes
Difficulty
Beginner
CEU/CPE
5

Video Transcription

00:00
Hi, everyone. Welcome back to the course. In the last video, we wrapped up our lab on injection flaws and attack. So specifically, we focused on in sequel injection, command injection. And then our last lab was HTML injection just to give you an idea of what that looks like. Now, in the last module, we focused primarily on sequel injection. We talked about that a little bit. Just ***, the most prevalent
00:20
type of injection attack that we see at least in a while.
00:25
So in this video, we're gonna talk about broken authentications. We'll talk about a little bit about what it is, what we're talking about here as well. In some ways, we can mitigate it.
00:33
So we'll start off with a quick pre assessment question here that everyone should hopefully get even if you're not working in cyber security, this is kind of a common sense one.
00:40
So authentication weaknesses can all can be seen in the former weak passwords from this particular list. Choose the weakest passwords. Which one do you think on this list is the weakest password?
00:51
If you guess Answer. D, you are correct. No answer. Answer is also a week password However, answer D is gonna be the best answer in this particular scenario, with it just being password one. Now. The reason answer is a weaker password is it's a phrase, right? So it's a common phrase that you might hear ST spoken in the English language. You know, the cat ran up a tree,
01:10
you can't run up the tree,
01:11
and so that might be something that is potentially already hashed out and on a wordless someplace that you can use or that an attacker could use to break your password.
01:21
But definitely Password one is one of the easiest ones out there. And unfortunately, a lot of people on even people with administrator cancer using easy passwords like that. So don't be like them. Do not do that. Make a complicated password.
01:34
What are learning objectives? As I mentioned, we're talking about what broken off medication is. How to check for, you know, ways to prevent or mitigate against it, or it's going to start off with the risk rating. So each of these videos, as I mentioned before, we're gonna talk about the risk rating from a loss.
01:49
Um, and what what? Each one is rated that are You know what each vulnerability or security risk on the list is rated at.
01:56
So we see here that we've got a couple of the you know what we call the Oh, no type of one's s o the exploit ability of the technical impacts. We see we've got a three in there or read The red coloring indicates that it's something very important and not very good. So weakness, prevalence. Now
02:13
we're gonna talk about problems in a second. So it's it's listed as common on this particular risk rating. However, it's actually a pretty widespread type of issue, and mostly because of design and implementation of how the identity and ask his controls are functioning.
02:30
So what is broken authentication? Well,
02:34
basically, the application functions that are related to authentication and session management
02:39
many, many times. Unfortunately, we see if they're implemented incorrectly, you know, So that may be due to lack of training, you know, or someone saying, Oh, yeah, I know how to set this up, and then they have no clue. It also could be that, you know, you may not
02:53
be able to use like the out of the box instructions from the vendor on that particular solution because your situation may be different. So that's where experience and that sort of stuff comes in and asking the vendor to basically holding them accountable to showing you exactly what you need to set up for your particular your particular organization.
03:13
So what broken authentication does if we implement it incorrectly? If we have been implemented, sees me authentication correct incorrectly, then broken authentication allows the attacker to get things like our passwords keys, you know, for our encryption or communication exchange. And then our session Children's as well
03:30
on what that allows the attacker to do is take over our identity, right? So our identity as a user
03:35
or as a system that they could take that over. And then from there, you know, move vertically through the network. You know, compromise other systems, et cetera, et cetera.
03:45
So it's amazing. The prevalence is pretty widespread, and I've already talked about the fact that that's related to the specific design and implementation of the majority of identity and access controls.
03:54
How do we check for what kind of things do we do? Well, if our system allows automated tax, so you know, if the last things that traditional stuffing, which is where an attacker has a list of user names and passwords on basically, you know, as the name implies, stuffs those into the application and the hopes of logging in
04:13
or, you know, brute force, which the difference they're being
04:15
the attacker and credential stuffing. The attacker has a known list of usernames and passwords, so they know these user names and passwords are valid, or at least have been valid at some point, or as brute force is literally trying every type of character. Hence the name that I put up here as far as like, how long before steaks?
04:33
Ah, and it does take a very long time to do brute force.
04:38
So that's why you'll see most Attackers we use, like, wordless and that sort of stuff to try to cut down that time.
04:44
For if your if your application permits weak passwords, right? So that's another way that we can see, like they were probably vulnerable to broken authentication. If there's we credential recovery. So by that I mean that is pretty easy to for me to come in as an attacker and pretend I need a password reset for you and get that information and, you know, be able to reset your password
05:03
If we're not using multi factor authentication. That's another way that, you know, we can pretty much say, like, Okay, our system is vulnerable to this particular type of attack.
05:13
If we're in that, you are. LF we're putting the session ideas which we should never do And if we're not rotating our session nineties as well for reusing the same session I d. That's a potential vulnerability for attacker to come in and take over our session.
05:26
So the impact again, the impact specific to your organization is going to be based off your particular organization. But some of the generalized once after the criminal attacker gets our information that can potentially do things like identity theft, you know? And with Fassel security fraud, they could take our sensitive information or, you know, r i. P. A. R intellectual property
05:46
as a company
05:46
and in some instances, depending on what your organization is. So, for example, here in the financial industry, in your bank or something, there's a potential for money laundering as well.
05:56
So you know, if the criminal attacker takes over like a couple of bank accounts like let's say, they took over here a bank account. They may be able to launder money through it to another account. And, you know, at the end of the day, you better be able to prove that you have no idea what was going on.
06:10
You'll actually see that particular thing, not necessarily with Well, you'll see it with broken authentication. But I digress for a second here, you'll see it with a lot of those scans where they'll call like elderly people are like, just people in general and say, Hey, you've
06:23
you know, this old that you have that, you know, we were you know, technically, they can't collect on, you know, depending on where you live at. But,
06:30
you know, Hey, you got this old debt you gotta pay right away or you're going to jail And then a lot of times what they'll have done the Attackers were these criminal gangs is they'll take over bank accounts already, so they'll give you a little bit of legitimate bank account like here in the United States. You'll send the money to that or whatever you know, in a panic
06:46
and then what they will do so immediately wired offshore someplace and keep wiring around so the feds can get them.
06:51
But at the end of the day, you know that person's bank account it was compromised.
06:56
You know, in that situation I just described probably will not be culpable. But in a situation like this, where you may have negligence, negligence that caused money laundering to occur depending on your particular area, that may be a crime. So just keep that in mind.
07:12
I get not legal advice. I'm not an attorney. Do not take that is legal advice. But I just want you to be aware of different situations of how that's applicable.
07:20
So let's prevent this stuff right. Let's mitigate these risk here. Let's get rid of this broken off indication stuff and make our systems better.
07:27
So how can we do that stuff? Well, two factor authentication or multi factor authentication, that's Ah, very good way to do so. So, for example, I log in with my password, and then I get a text message or something, saying, Hey, you know, or even better, a session Tokyo like using ah, Google or something like that where I could just look up and get a temporary code, and then I could put that in. And then I have funny Kate
07:46
that I'm actually meet
07:48
rate limiting. So we talked about, you know, multiple log in attempts. So that's that's what rate limiting is basically after X number of field log in attempts. It'll lock out the accounts of an attacker, couldn't just brute force it and get in and find their way in.
08:01
If sessions are idle, we want those a time out. We don't want to leave that open for an attacker to get. We want to secure cookies, you know, to make him more secure. Basically, what that means is we're making them use a secure transmission for the cookie
08:15
changing default credentials or user names and passwords for admin accounts. We want to change that basically immediately, using strong passwords and along those lines, we could take a look at miss 863 B on that will have some good information there about, you know, pastor land complexity on even rotation policies as well.
08:33
So just one quick post assessment question here. Roberta is a security engineer for Halliburton. What she's trying to do is reduce the organization's risk of a broken authentication attack. So which of the following is not a way of reducing the likelihood of this particular type of attack
08:50
*** if he gets Answer D, This one is pretty easy. If you guessed. Answer. Do you are correct? Obviously, we just talked about being to factor in multi factor authentication being a way to prevent against this type of attacks a week. If we want to reduce the likelihood of it, we definitely don't want to take that away. Right. And of course, all the other ones on the list are ones we talked about this faras ways weaken
09:07
potentially prevent or mitigate this particular
09:09
risk.
09:11
All right, so this video we talked about broken authentication. So in the next video, we're gonna jump into our lab where you'll get to see an actual example of that Onda following module after that will be our sensitive data exposure

Up Next

OWASP

Established in 2001, the Open Web Application Security Project (OWASP) offers free security tools and resources to help organizations protect critical apps. Cybrary’s OWASP training course covers the organization’s popular “Top 10” risk assessment.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor