Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Transcription

00:00
Hello. My name's I happily welcome to the overview off secure code in
00:05
broken authentication. Vulnerability is actually the number to the top, then orbs. Vulnerability East off 2007. Think it's all gonna be looking at? The intruded causes the scenario Impact prevention on some police questions. Now it broke not the indication jackpot is actually launched. When a dog has alleged Smits is up.
00:24
For somebody to be able to log in other legitimate issues, I simply means he has the user name on the possible combination.
00:30
Now, where did you get the user name and password? E. Most actually must have actually opted out from the dark web and mask. That's that's when he has a long pissed off that they sell it on the top with, Does it? Then no one is
00:43
he got actually get up by using on already loaded in session. Like you log into your camp. You know, leave your desk and a pack of comes in there and I just the section or simply picks up. You're resigning. My possible on our own is by using defaults, logging because most of the time he knows
00:59
a lot of people don't change The defaults credentials are shipped with some of the system. So we actually tests that are not seen on. Nobody knows who is actually behind such longing here. There's actually authentication because it is in
01:14
really use animal password because the credentials actually correct. Yes, both the ghost is off. The credentials are No, no, is identities unknown? So, in this case with them, that broken authentication credentials operate by his identity is unknown under his actual authentication.
01:30
That's what we call broken authentication. Now what? Because this off some of this is
01:36
want long list of yours Johnny Martelli appointed doctor. If such was not available on the dark Web, there might not be anything like broken out and special holiday on his SQL injection.
01:48
You can actually try SQL injection on some forms. You notice that you gets in there, nobody will know what's actually signed in. But in that case, you can actually be authenticated on dazzle called broken authentication. Right on is by using default username and password. You know, people don't change. It defaults Logan's
02:07
that are shipped with some of the systems
02:08
without deter bees or operating system or any other thing that I don't want his bath session management. Yeah, in this case are about special management. Somebody looks in to a Dutch boat on dhe doesn't contain sensitive information, are most of the time. You probably leave
02:27
your days to do a couple of things on our comes in there, sees your touch, but with no sensitive information, including your username and password. It just picks it up on,
02:35
leaves your desk so it gets a log in from elsewhere. So that is how it's what those are the causes or broken authentication. Now, we're going to think if you cut out, some of these things can actually be explained that we're going to become one, and that's called bad decision. So unless I'm going to look into
02:53
on our accounts on we club
02:55
here are the wide free on bond. I just wanted to be actually built with clubs to be able to get some of these vulnerabilities. So here are signing also I signing so you can see you have the longest off. All those vulnerabilities is there, So prevents Luca SQL injection. Unauthorized Logan.
03:15
So once you click that it's comes up. So here we're going through Logan as alleged snitches offer. It's not like I'm going to use a white three, then wanted it. So here I have submitted can see Now that beach come on
03:31
is thinking for against the Cassidy peasants it now this is my age. This is my possible.
03:38
Now this is my credit card details. Or do this office the show's wants anyway. So my credit captain balance on all of that. Now I now decides to leave my desk with the Obama. Nobody will come day on our back and simply constant and checks. Here's your personal would be You can access the next up
03:57
blah, blah, blah a show you want attitudes I know exposed.
04:00
Now there are a couple basic information. Wow, username and password. It just picks, starts around Siri and also has the opportunity of lichen on the credit card natives. It picks all of those things. I just not paying them. He doesn't even need to write just fixes for asking. All these are move. So we so that's is it. But this is dangerous.
04:18
They develop passion put into consideration that youse are sometimes not forget. I live that this I want they leave their desk, anybody can come pick it. Oh, so this is a big problem. It's an issue now. What should and what shouldn't develop are in decades During this case, if you are If you develop I in this case that actually puts a timer
04:39
Nice session. I'm Alesci
04:41
after everything off 15 seconds. Is science out or the system automatically lock? Zero that would have been better at Takao Unleased will reduce the tendency off banana a car coming to pick some of these details. Now I'm going to show you what I did on the other pitch to about this kind of situation.
05:00
I call this session primal solution
05:01
here. Winds longing a Y three
05:05
on here wanted three. Now what's I loved me. You look Is that decision by mouths is nine. It's actually tensor concept. Was the sister again? See if I am busy. It took about tonight. It simply means
05:19
the stem understands that I'm still walking. But I stopped walking. You notice that it's keeps reducing until he gets to zero.
05:27
So introduces the attendance of coming to pick my details. I guess it is this your section of the expanse so even live in that place. It's just only session inspired and it's automatic. Alan loved me out because I'm not there. So this Darla would actually comes up just for me to be able to show, you know, Molly,
05:46
it's not sure, you know. It's just like your heart is knocking,
05:48
so it wants a quick Okay, you can see are out. That's exactly how to prevent one of those ways off. Also prevent such problems. That's is it. Now, what are the impacts are broken authentication. One is money laundry. You guys see, I saw the credit card. Details of that person when he left is this
06:06
You be able to see all of this information. I can actually use that smooth money from his account
06:12
inside our credit card fraud is on our side of credit card details. Identity theft is on our information. Disclosure is on now. These are some of the impacts of broken authentication on our kind. Prevents it won't prevent that squarely injection because I can actually look in to the particle account I'm wants. Just like you saw an SQL injection
06:31
course
06:32
you can actually look into that part's glad counts you want. So based on the use off limits on go offsets now that someone is,
06:42
it also wants to prevent SQL injection. That's part of soft by a bomb or two. Factor authentication like if you log in on, you still need to receive a token of your phone before the actual authentication can actually take place. Thou also helped to solve it. So on extent they manage session on Lynn depressed, just like I showed you the solution.
07:00
If you can. Actually our session time out. It reduces the tendency of bananas that's come around and pick your details.
07:05
Another one day's avoid the plane application with before passwords always strides off what does a lot, but I just know some of this they were want develop as they were wants. Use us off some of these technologies, so once they know a lot of people do not change it. Default on the picket. All that and force possible policy. Tell people to change their passwords
07:26
from times of pent up people to use complex parcel. Derek I remember and allow bus old tradition.
07:31
Some of this says, can help prevent broken authentication. So it's quiz time now. Broken authentication can lead to all of the following accepts which aren't money, laundry, identity, that sanitization of impure loss of little off course. This anticipation of impedes on our broken authentication can be best prevented by
07:49
possible policy against it. That's an position of impudence. Loss of bitter
07:55
off course, the outsize possible policy. We are also the Palestinian can help prevent broken authentication. So basically, we discovered broken authentication *** ghost authentication. We don't know the identity of who is looking in always been authenticated. Yes, it is a real details. What about the cause? We thought about having a massive tests
08:13
off user name, a long list of Sergeant the talk with then we've talked about badly coded station. Then I should do this scenario off the wall. Let Ito speed read. You can actually peak the credit card details off the opposite. Then I've also told the body impacts identity they lost on possible policy.
08:31
Now a broken authentication up of the numerals judiciales the most of our state. They keep shining, all of them either automated or manually. Now
08:41
you'll find out that only the at me with this apart privileged my beauty target, it doesn't mean they're not going to use all the privileges. But once they find out that there's a particle up
08:52
user name password combination that is actually are not mean that he's the green spaghetti because they knew the country lodge, it's It's so having lent on sin, broken authentication in action.

Up Next

Secure Coding Fundamentals

In Secure Coding Fundamentals, Ayokunle Olaniyi takes you through the best coding practices, which ensures that the application developed as a result stick to the CIA triad and are not riddled by the OWASP top 10. Various aspects of code security and risk assesments across the OWASP top 10 are discussed along with the preventive measures.

Instructed By

Instructor Profile Image
Ayokunle Olaniyi
Instructor