Hacking Web Apps - 9781597499514|ScienceDirect.com by Mike Shema
				
							 
							
								
							
							
							Author:Mike Shema [Shema, Mike]
							
							
							
							Language: eng
							
							
							
							Format: epub
							
							
							
																				
							
							
							
							
							
							
							Published: 0101-01-01T00:00:00+00:00
							
							
							
							
							
							
ability will dwindle as developers learn to rely on prepared statements. It will also
diminish as developers turn to “NoSQL” or non-SQL based datastores, or even turn
to HTML5’s Web Storage APIs. However, those trends still require developers to
prevent grammar injection-style attacks against queries built with JavaScript instead
of SQL. And developers must be more careful about the amount and kind of data
placed into the browser. As applications become more dependent on the browser for
computing, hackers will become as equally focused on browser attacks as they are
on web site attacks.
CHAPTER
Breaking Authentication
Schemes
5
Mike Shema
487 Hill Street, San Francisco, CA 94114, USA
INFORMATION IN THIS CHAPTER:
• Understanding the Attacks
• Employing Countermeasures
Passwords remain the most common way for a web site to have users prove their
identity. If you know an account’s password, then you must be the owner of the
account—so the assumption goes. Passwords represent a necessary evil of web secu-
rity. They are necessary, of course, to make sure that our accounts cannot be accessed
without this confidential knowledge. Yet the practice of passwords illuminates the
fundamentally insecure nature of the human way of thinking. Passwords can be easy
to guess, they might not be changed for years, they might be shared among dozens of
web sites (some secure, some with gaping SQL injection vulnerabilities), they might
even be written on slips of paper stuffed into a desk drawer or slid under a keyboard.
Keeping a password secret requires diligence in the web application and on the part
of the user. Passwords are a headache because the application cannot control what its
users do with them.
In October 2009 a file containing the passwords for over 10,000 Hotmail accounts
was discovered on a file-sharing web site followed shortly by a list of 20,000 creden-
tials for other web sites (http://news.bbc.co.uk/2/hi/technology/8292928.stm). The
lists were not even complete. They appeared to be from attacks that had targeted
Spanish-speaking users. While 10,000 accounts may seem like a large pool of vic-
tims, the number could be even greater because the file only provides a glimpse into
one set of results. The passwords were likely collected by phishing attacks—attacks
that trick users into revealing their username and password to people pretending to
represent a legitimate web site. Throughout this book we discuss how web site devel-
opers can protect their application and their users from attackers. If users are willing
to give away their passwords (whether being duped by a convincing impersonation
or simply making a mistake), how is the web site supposed to protect its users from
themselves?
To obtain a password is the primary goal of many attackers flooding e-mail with
spam and faked security warnings. Obtaining a password isn’t the only way into a
Hacking Web Apps. http://dx.doi.org/10.1016/B978-1-59-749951-4.00005-9
141
© 2012 Elsevier, Inc. All rights reserved.
142
CHAPTER 5 Breaking Authentication Schemes
victim’s account. Attackers can leverage other vulnerabilities to bypass authentica-
tion, from Chapter 2: HTML Injection & Cross-Site Scripting (XSS) to Chapter 3:
Cross-Site Request Forgery (CSRF) to Chapter 4: SQL Injection & Data Store Manip-
ulation. This chapter covers the most common ways that web sites fail to protect
passwords and steps that can be taken to prevent these attacks from succeeding.
UNDERSTANDING AUTHENTICATION ATTACKS
Authentication and authorization are closely related concepts.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Deep Learning with Python by François Chollet(12881)
A Developer's Guide to Building Resilient Cloud Applications with Azure by Hamida Rebai Trabelsi(10208)
Hello! Python by Anthony Briggs(10131)
The Mikado Method by Ola Ellnestam Daniel Brolund(10020)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9988)
Dependency Injection in .NET by Mark Seemann(9524)
Hit Refresh by Satya Nadella(9001)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(8532)
The Kubernetes Operator Framework Book by Michael Dame(8272)
Exploring Deepfakes by Bryan Lyon and Matt Tora(8059)
Practical Computer Architecture with Python and ARM by Alan Clements(8006)
Implementing Enterprise Observability for Success by Manisha Agrawal and Karun Krishnannair(7986)
Robo-Advisor with Python by Aki Ranin(7978)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7921)
Grails in Action by Glen Smith Peter Ledbrook(7890)
Building Low Latency Applications with C++ by Sourav Ghosh(7868)
Svelte with Test-Driven Development by Daniel Irvine(7860)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(7858)
Becoming a Dynamics 365 Finance and Supply Chain Solution Architect by Brent Dawson(7780)
