Part 6 Defenses

Video Activity

In this lesson, participants learn receive an overview of defenses, including: • Broken authentication • Session management Participants also learn session management sample codes which can be used to repair an issue in a session fixation.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Description

In this lesson, participants learn receive an overview of defenses, including: • Broken authentication • Session management Participants also learn session management sample codes which can be used to repair an issue in a session fixation.

Video Transcription
00:04
Hello and welcome to the cyber very secure coding course.
00:08
My name is anywhere, and this is a WASP top 10 for 2013 a two broken authentication and session management medications, countermeasures and defenses. Now an overview of our defenses. We've basically talked about two different areas
00:27
broken authentication and session management.
00:31
Now, in terms of mitigations, countermeasures and defenses in broken authentication. We learned particularly from the demo that we cannot have our air messages or even our success messages
00:45
give Attackers any type of clue as to what may have changed between requests. So when we saw the failed attempt and we saw one message and then we saw a success when we saw a different message,
01:02
we were actually able to key off of the success message in the demo case
01:07
and the numerator, all of the user names in the
01:11
database.
01:14
Another thing that we looked at is Theseus. Ample code where we never want a hard code, any credentials into our code for several reasons. We do not want to have this as part of the binary. It also means that you're using the same credentials in every single environment
01:33
from development. All the way to production.
01:36
So instead, what we want to do is we want to externalize thes credentials, either placing them in a property's file, a configuration file or database. And even when we do that, we want to make sure that the password itself is being protected through encryption.
01:55
We also talked about password policy enforcement. Now, this is where we make sure our users air not using dictionary words for their passwords.
02:05
We also want to enforce aging, which means passwords expire after a certain number of days, it must be reset.
02:13
Strength, of course, has to do with the length of passwords
02:19
and what could be contained in them. And then finally, we talked about good password. Management means that all passwords are hashed in the database and they include salts.
02:34
Now, in the area of session management,
02:36
we've learned that we need to make sure our tokens, our session I D. S are unpredictable. Now, unpredictability is not going to come from a homegrown way of creating our randomness. We cannot use time stamps and things like that
02:55
as these are very easy to pick up on
03:00
by various attacker tools. And so we need to make sure unpredictability is done through secure randomness.
03:08
Also, we need to have expiration policies on our sessions, make sure that they time out after a reasonable amount of time. We also need to make sure that any kind of events like a log in or along out actually reset our session I. D. S.
03:27
We also need to protect our information, whether it's the communication, the traffic going back and forth between the browser and the server or the cookie. And we need to make sure that this protection comes over encryption T l s, of course, being what it is
03:46
preferred at this time.
03:49
We did speak about cookie security. The demo showed us some cookie manipulation with a very predictable cookie number that was being used for user I. D.
04:00
And we also know that the cookie needs to be protected with the HDP Onley and secure flags from manipulation.
04:12
Now let's take a look at the sample code that could be used to actually fix session fixation problem that we saw earlier.
04:23
So in the problem, we saw that the HDP response showed the cookie before log in and after log in. And in both cases, that session I d stored in the cookie remained the same.
04:39
So in order to address that particular problem, the first thing that we would need to do is actually go ahead and grab our current session. You're usually able to get this through the request object.
04:51
Then what you need to do is upon log and go ahead and invalidate that session,
04:58
and then you're going to go ahead and generate a new session. Now there might be attributes associated with the
05:05
original unauthenticated session that you want to retain. That's not a problem. You should be able to get those
05:13
attributes from that original session,
05:16
save them off and then assigned them to your new generated session.
05:21
So this concludes our
05:25
are mitigations
05:27
countermeasures in defenses. Let's move now into our labs.
Up Next
Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By