Uwvwwbwbwbwbwbwbwbnit-4 - web security.pptx

VikasTuwar1 59 views 21 slides Jun 12, 2024
Slide 1
Slide 1 of 21
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21

About This Presentation

bwbwbvwsw wvwgwbwebwbqwbwbwbwbwb

Size: 759.43 KB
Language: en
Added: Jun 12, 2024
Slides: 21 pages

Slide Content

Unit-4 Web Security Authentication Techniques: 1. Password-Based Authentication Basic Concept : Users provide a username and a password to gain access. Best Practices : Use strong, complex passwords. Store passwords securely using hashing algorithms like bcrypt or Argon2. Implement account lockout mechanisms after a certain number of failed attempts.

2. Multi-Factor Authentication (MFA) Basic Concept : Requires two or more verification factors. Factors : Something you know : Password or PIN. Something you have : Smartphone, security token. Something you are : Biometric data like fingerprints or facial recognition. Example : Logging in with a password and a code sent to a mobile device. 3. Biometric Authentication Basic Concept : Uses unique biological characteristics. Examples : Fingerprints, facial recognition, voice recognition. Considerations : High accuracy and convenience. Privacy concerns and data protection regulations.

4. Certificate-Based Authentication Basic Concept : Uses digital certificates to identify users or devices. Mechanism : Users possess a digital certificate issued by a trusted authority. The certificate is used in conjunction with a private key for authentication. Use Cases : Secure email, VPNs, and mutual SSL/TLS. 5. Single Sign-On (SSO) Basic Concept : Allows users to authenticate once and gain access to multiple applications. Mechanism : Uses a centralized authentication server. Reduces the need to remember multiple passwords. Example : Logging into Google services (Gmail, Drive) with one Google account.

6. Social Login Basic Concept : Uses credentials from social networks (e.g., Google, Facebook ) for authentication. Benefits : Convenience for users. Reduces password fatigue. Considerations : Dependence on third-party services and potential privacy issues.

Design Flaws in Authentication: Design flaws in authentication can lead to serious security vulnerabilities, allowing unauthorized access to sensitive information and systems. Design flaws in authentication and how to mitigate them: 1. Weak Password Policies Flaw : Allowing users to set weak, easily guessable passwords. Mitigation : Enforce strong password policies (e.g., minimum length, complexity requirements). Implement password strength meters to guide users. Prohibit the use of common passwords and dictionary words.

2. Insufficient Account Lockout Mechanisms Flaw : Failing to lock accounts after multiple failed login attempts, making brute force attacks easier. Mitigation : Implement account lockout policies after a certain number of failed attempts. Use exponential backoff or CAPTCHA challenges to slow down automated attacks. 3. Insecure Password Recovery Mechanisms Flaw : Weak password recovery methods, such as security questions or email links, that can be easily guessed or intercepted. Mitigation : Use secure password recovery methods, such as sending a reset link to a verified email address or SMS. Require MFA for password recovery processes. Avoid using easily guessable security questions.

4. Session Management Issues Flaw : Poor session management, such as not properly invalidating sessions upon logout or allowing session IDs to be easily guessed. Mitigation : Use secure session management practices, including proper session ID generation and invalidation. Implement session expiration and automatic logout mechanisms. Ensure that session IDs are transmitted securely using HTTPS. 5. Lack of Proper Logging and Monitoring Flaw : Not logging authentication attempts or failing to monitor them for suspicious activity. Mitigation : Implement comprehensive logging of all authentication-related events. Monitor logs for signs of suspicious activity and respond to potential breaches promptly.

6. Exposure of Authentication Information Flaw : Exposing sensitive authentication details in error messages or URLs. Mitigation : Avoid revealing specific reasons for authentication failures (e.g., "Invalid username" vs. "Invalid credentials"). Do not include sensitive information in URLs or error messages.

Implementation Flaws in Authentication: Implementation flaws in authentication can introduce serious security issues , even if the design is sound. 1. Failure to Implement Proper Input Validation Flaw : Not validating user inputs correctly, leading to SQL injection or other injection attacks. Mitigation : Use prepared statements and parameterized queries for database interactions. Validate and sanitize all user inputs on both client-side and server-side

2. Improper Use of Authentication Libraries Flaw : Misusing or incorrectly configuring authentication libraries, leading to security weaknesses. Mitigation : Thoroughly read and understand the documentation of authentication libraries. Follow best practices and recommended configurations provided by the library. 3. Hard-Coding Secrets Flaw : Storing secrets like API keys, passwords, or cryptographic keys directly in the code. Mitigation : Use secure storage solutions like environment variables, secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager). Ensure secrets are encrypted at rest and in transit.

4. Poor Session Management Flaw : Inadequate session handling, such as not invalidating sessions on logout or reusing session IDs. Mitigation : Ensure sessions are properly invalidated on logout. Use unique, unpredictable session IDs. Implement session expiration and renewal mechanisms. 5. Incorrect Token Handling Flaw : Mishandling tokens (e.g., JWTs), such as not verifying signatures or using weak algorithms. Mitigation : Verify the integrity and authenticity of tokens using the correct cryptographic algorithms. Avoid using weak algorithms (e.g., HS256) for token signing. Implement proper token expiration and renewal processes.

5. Unencrypted Communication Flaw : Transmitting sensitive information, such as passwords, over unencrypted channels. Mitigation : Always use HTTPS to encrypt data in transit. Ensure all parts of the application that handle sensitive data are served over secure connections. 6 . Failure to Implement Account Lockout Flaw : Not locking accounts after multiple failed login attempts, making brute force attacks easier. Mitigation : Implement account lockout policies after a specified number of failed attempts. Use exponential backoff or CAPTCHA challenges to slow down automated attacks.

Path Traversal Attacks WHAT IS PATH TRAVERSAL ATTACK? A path traversal attack aims to access files and directories that are stored outside the webroot folder. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). To access files or execute commands anywhere on the file-system, Path traversal attacks utilize the ability of special characters sequences.

WHAT IS A DIRECTORY? In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. The top-most directory in such a filesystem, which does not have a parent of its own, is called the root directory. Root Directory – This directory is located in the server file system and users simply can’t access sensitive files above this root. One such example is the sensitive cmd.exe file on Windows platforms, which rests in the root directory that not everyone can access.

ROOT DIRECTORY

What does ../ or .. (dot dot slash) mean? The “..” instructs the system to go one directory (or folder) up. For example : we are at this location C:/Apps/Games Now on typing “../”, we would reach C:/Apps To access files or execute commands anywhere on the File-system, Path Traversal attacks will utilize the ability of special-characters sequences.

Encoding and double encoding Most web servers prevent ‘../’ technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the web server accepts and processes client requests in many encoded forms.

Encoding and double encoding %2e%2e%2f ../ %2e%2e/ ../ ..%2f ../ %2e%2e%5c ..\ %2e%2e\ ..\ ..%5c ..\ %252e%252e%255c ..\ ..%255c ..\

There was a serious security vulnerability in the Belkin N150 wireless router that can enable a remote, unauthenticated attacker to read any system File on a vulnerable router. Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a path traversal vulnerability through the built-in web interface. The webproc cgi module accepts a getpage parameter which takes an unrestricted file path as input. The web server runs with root privileges by default, allowing a malicious attacker to read any file on the system

How to prevent Path Traversal attacks? Don’t store old, sensitive, or otherwise nonpublic files on your web server. The only files that should be in your / htdocs or DocumentRoot folder are those that are needed for the site to function properly. The latest versions of the web servers have good directory security by default so, if possible, make sure you’re running the latest versions. Effectively Filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that attackers cannot use commands that leave the root directory or violate other access privileges. Remove “..\” and “../” from any input that’s used in a file context. Ensure that your web server is properly configured to allow public access to only those directories that are needed for the site to function.
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 59
  • Slides 21
  • Age 541 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category