Broken Authentication

00:00

Hello. My name's I happily welcome to the overview off secure code in

00:05

broken authentication. Vulnerability is actually the number to the top, then orbs. Vulnerability East off 2007. Think it's all gonna be looking at? The intruded causes the scenario Impact prevention on some police questions. Now it broke not the indication jackpot is actually launched. When a dog has alleged Smits is up.

00:24

For somebody to be able to log in other legitimate issues, I simply means he has the user name on the possible combination.

00:30

Now, where did you get the user name and password? E. Most actually must have actually opted out from the dark web and mask. That's that's when he has a long pissed off that they sell it on the top with, Does it? Then no one is

00:43

he got actually get up by using on already loaded in session. Like you log into your camp. You know, leave your desk and a pack of comes in there and I just the section or simply picks up. You're resigning. My possible on our own is by using defaults, logging because most of the time he knows

00:59

a lot of people don't change The defaults credentials are shipped with some of the system. So we actually tests that are not seen on. Nobody knows who is actually behind such longing here. There's actually authentication because it is in

01:14

really use animal password because the credentials actually correct. Yes, both the ghost is off. The credentials are No, no, is identities unknown? So, in this case with them, that broken authentication credentials operate by his identity is unknown under his actual authentication.

01:30

That's what we call broken authentication. Now what? Because this off some of this is

01:36

want long list of yours Johnny Martelli appointed doctor. If such was not available on the dark Web, there might not be anything like broken out and special holiday on his SQL injection.

01:48

You can actually try SQL injection on some forms. You notice that you gets in there, nobody will know what's actually signed in. But in that case, you can actually be authenticated on dazzle called broken authentication. Right on is by using default username and password. You know, people don't change. It defaults Logan's

02:07

that are shipped with some of the systems

02:08

without deter bees or operating system or any other thing that I don't want his bath session management. Yeah, in this case are about special management. Somebody looks in to a Dutch boat on dhe doesn't contain sensitive information, are most of the time. You probably leave

02:27

your days to do a couple of things on our comes in there, sees your touch, but with no sensitive information, including your username and password. It just picks it up on,

02:35

leaves your desk so it gets a log in from elsewhere. So that is how it's what those are the causes or broken authentication. Now, we're going to think if you cut out, some of these things can actually be explained that we're going to become one, and that's called bad decision. So unless I'm going to look into

02:53

on our accounts on we club

02:55

here are the wide free on bond. I just wanted to be actually built with clubs to be able to get some of these vulnerabilities. So here are signing also I signing so you can see you have the longest off. All those vulnerabilities is there, So prevents Luca SQL injection. Unauthorized Logan.

03:15

So once you click that it's comes up. So here we're going through Logan as alleged snitches offer. It's not like I'm going to use a white three, then wanted it. So here I have submitted can see Now that beach come on

03:31

is thinking for against the Cassidy peasants it now this is my age. This is my possible.

03:38

Now this is my credit card details. Or do this office the show's wants anyway. So my credit captain balance on all of that. Now I now decides to leave my desk with the Obama. Nobody will come day on our back and simply constant and checks. Here's your personal would be You can access the next up

03:57

blah, blah, blah a show you want attitudes I know exposed.

04:00

Now there are a couple basic information. Wow, username and password. It just picks, starts around Siri and also has the opportunity of lichen on the credit card natives. It picks all of those things. I just not paying them. He doesn't even need to write just fixes for asking. All these are move. So we so that's is it. But this is dangerous.

04:18

They develop passion put into consideration that youse are sometimes not forget. I live that this I want they leave their desk, anybody can come pick it. Oh, so this is a big problem. It's an issue now. What should and what shouldn't develop are in decades During this case, if you are If you develop I in this case that actually puts a timer

04:39

Nice session. I'm Alesci

04:41

after everything off 15 seconds. Is science out or the system automatically lock? Zero that would have been better at Takao Unleased will reduce the tendency off banana a car coming to pick some of these details. Now I'm going to show you what I did on the other pitch to about this kind of situation.

05:00

I call this session primal solution

05:01

here. Winds longing a Y three

05:05

on here wanted three. Now what's I loved me. You look Is that decision by mouths is nine. It's actually tensor concept. Was the sister again? See if I am busy. It took about tonight. It simply means

05:19

the stem understands that I'm still walking. But I stopped walking. You notice that it's keeps reducing until he gets to zero.

05:27

So introduces the attendance of coming to pick my details. I guess it is this your section of the expanse so even live in that place. It's just only session inspired and it's automatic. Alan loved me out because I'm not there. So this Darla would actually comes up just for me to be able to show, you know, Molly,

05:46

it's not sure, you know. It's just like your heart is knocking,

05:48

so it wants a quick Okay, you can see are out. That's exactly how to prevent one of those ways off. Also prevent such problems. That's is it. Now, what are the impacts are broken authentication. One is money laundry. You guys see, I saw the credit card. Details of that person when he left is this

06:06

You be able to see all of this information. I can actually use that smooth money from his account

06:12

inside our credit card fraud is on our side of credit card details. Identity theft is on our information. Disclosure is on now. These are some of the impacts of broken authentication on our kind. Prevents it won't prevent that squarely injection because I can actually look in to the particle account I'm wants. Just like you saw an SQL injection

06:31

course

06:32

you can actually look into that part's glad counts you want. So based on the use off limits on go offsets now that someone is,

06:42

it also wants to prevent SQL injection. That's part of soft by a bomb or two. Factor authentication like if you log in on, you still need to receive a token of your phone before the actual authentication can actually take place. Thou also helped to solve it. So on extent they manage session on Lynn depressed, just like I showed you the solution.

07:00

If you can. Actually our session time out. It reduces the tendency of bananas that's come around and pick your details.

07:05

Another one day's avoid the plane application with before passwords always strides off what does a lot, but I just know some of this they were want develop as they were wants. Use us off some of these technologies, so once they know a lot of people do not change it. Default on the picket. All that and force possible policy. Tell people to change their passwords

07:26

from times of pent up people to use complex parcel. Derek I remember and allow bus old tradition.

07:31

Some of this says, can help prevent broken authentication. So it's quiz time now. Broken authentication can lead to all of the following accepts which aren't money, laundry, identity, that sanitization of impure loss of little off course. This anticipation of impedes on our broken authentication can be best prevented by

07:49

possible policy against it. That's an position of impudence. Loss of bitter

07:55

off course, the outsize possible policy. We are also the Palestinian can help prevent broken authentication. So basically, we discovered broken authentication *** ghost authentication. We don't know the identity of who is looking in always been authenticated. Yes, it is a real details. What about the cause? We thought about having a massive tests

08:13

off user name, a long list of Sergeant the talk with then we've talked about badly coded station. Then I should do this scenario off the wall. Let Ito speed read. You can actually peak the credit card details off the opposite. Then I've also told the body impacts identity they lost on possible policy.

08:31

Now a broken authentication up of the numerals judiciales the most of our state. They keep shining, all of them either automated or manually. Now

08:41

you'll find out that only the at me with this apart privileged my beauty target, it doesn't mean they're not going to use all the privileges. But once they find out that there's a particle up