Академический Документы
Профессиональный Документы
Культура Документы
OWASP
Copyright 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
Browser Refresh Browser memory Remember feature Forget password feature SQL injection
OWASP
#1
Browser Refresh
OWASP
Browsers Refresh
Browsers store Headers, POST variables sent to web server while fetching a page
When a Refresh button is clicked, the request to load the current page is re-submitted to server.
OWASP
Pre-requisite User leaves the browser window open Adversary gets physical access to the machine.
OWASP
Step 1: Bob logged out of the application but did not close the browser.
You have been successfully logged out. You have been logged
OWASP
Step 2: Alice gains access to his machine. She clicks Back button on the browser till she reaches the immediate page after login
OWASP
OWASP
Step4: Alice clicks Retry on the pop up by browser and she gets logged in as BOB
OWASP
Step 5: Alice intercepts this request with the web proxy, she is able to see Bobs username & password
OWASP
OWASP
Intercept
www.website.com/Myhome.asp
OWASP
Login.asp
www.website.com/Myhome.asp Myhome.asp
OWASP
#2
Browser Memory
OWASP
Browser Memory
Username and password submitted through web page are stored in the browser memory
OWASP
Pre-requisite User leaves the browser window open after logging out. Adversary gets physical access to the machine.
OWASP
Step 1: Bob logged out of the application but did not close the browser
OWASP
OWASP
Solution The variable containing the clear text password should be reset immediately after logon Use salted hash technique
OWASP
#3
Remember feature
OWASP
Two ways
OWASP
Pre-requisite
User activates features to remember login credentials. Adversary gets physical access to the machine.
OWASP
OWASP
The Attack Browser feature Bob turned IE/firefox browser to save password
OWASP
Firefox user - Bob had turned firefox browser to save password through Remember passwords
OWASP
While logging to the application the browser prompted with a dialog to save password and Bob chose Yes
OWASP
Step1: Alice gains access to his machine. She retrieves the password from the stored location.
Alice clicks
OWASP
Solution
The authentication details/token should not be stored in plain text Add the following code <input AUTOCOMPLETE="off"> - for password field
Display warning message about insecurities involved in a shared computer environment. Use workarounds For E.g. Small JavaScript snippets.
OWASP
#4
OWASP
OWASP
#4.1
Hidden Fields
OWASP
Hidden Fields
Hidden Form Fields represent a convenient
way to store data in the browser and are one of the most common ways of carrying data.
OWASP
Pre-requisite
OWASP
OWASP
Step 2: Alice sets a new password and changes the username to bobs and clicks on Login
OWASP
OWASP
Solution
No critical data should be stored in hidden fields. The application should link the user Id to the
OWASP
#4.2
Variables in URL
OWASP
Variables in URL
OWASP
Pre-requisite
OWASP
Step 1: Alice accesses the forget password page using web proxy
Username in URL
Username in request
OWASP
OWASP
Solution No critical data should be sent in query string. The application should link the user Id to the session information of the user.
OWASP
#4.3
Improper Processes
OWASP
Improper Processes
Different ways to implement forgot password feature Secret question User details
OWASP
Pre-requisite
OWASP
Step 1: Alice inputs bobs name into the username field and clicks on the Forgot password link.
OWASP
OWASP
OWASP
OWASP
Solution
Short lived, one time use, SSL enabled link mailed to user
OWASP
#5
SQL Injection
OWASP
A well known attack Specially crafted input manipulates SQL Query Attackers can manipulate the database
OWASP
OWASP
The Attack
The query UPDATE <table name> SET Password = test123;-- WHERE Username = alice and old_Password = alice123
OWASP
Solution Strong input validation Maintain a white list Parameterized queries Parameterized stored procedures
OWASP
Thank You!!
OWASP