A2: Broken Authentication

00:00

Hey, everyone, welcome back to the course. So in this video, we're gonna talk about broken authentication, so we'll talk about what it actually is. We'll talk about some use cases, and what that really means is we're gonna talk about ways that this could occur,

00:13

and then we'll also talk about ways we can prevent or mitigate against it.

00:17

So what is broken authentication? Well, basically, this is where we have poorly implemented a p I authentication, and that allows an attacker to assume someone else's or some other users identity.

00:29

So how do you like, How could this actually happen?

00:32

Well, we could have

00:35

AP eyes that we consider in quote unquote internal, and so that we might leave those a little more unprotected than are publicly facing once. And so that might be a way that the attacker exploits this. We could have weak authentication that doesn't actually follow the best practices of the industry.

00:51

We could have weaker a P I keys or we could also not be rotating r a p I keys.

00:56

We could have weaker passwords.

00:59

We could also have a P eyes that are susceptible to you brute force attacks or things like credential stuffy.

01:03

We could have credentials and keys just in the u. R L

01:08

We could also have where we don't actually validate the token. So when the attacker sends it and says, Hey, I'm Suzy and we don't actually validate that it that is Susie, that's sending us that toke it.

01:22

So how can we prevent or mitigate this type of attack?

01:26

Well, number one weaken taken inventory, right? So what that means is we assess all possible ways,

01:32

uh, that weaken that that we can authenticate to r AP, eyes that were using and so we can kind of determine the attack surface. From there,

01:40

we could use token generations a random tokens as well ish make sure their short lives. So that just means that there's a short amount of time that that token is actually valid.

01:49

We could use things like multi factor authentication. We can also make sure we authenticator app so some white listing

01:57

and we can use rate limiting. So for the authentication. And so basically, as there's ah lot of different attempts, rate limiting says there can only be so many attempts and this certain time period from this particular I p address for this origins area.

02:13

So just a quick quiz question. Broken authentication is not caused by a lack of a P I key rotation. Is that true or false?

02:22

All right, so that's false, right? We talked about

02:24

many different ways that someone could exploit this. And so one of the ways was that we're not rotating r A P I Keys also, that we're using a weaker A p I key. Some other common ones are things like with your passwords or ah, having the credentials or keys or other information in the U. R. L.