Hacking Web Apps - 9781597499514|ScienceDirect.com by Mike Shema

Author:Mike Shema [Shema, Mike]
Language: eng
Format: epub
Published: 0101-01-01T00:00:00+00:00

ability will dwindle as developers learn to rely on prepared statements. It will also

diminish as developers turn to “NoSQL” or non-SQL based datastores, or even turn

to HTML5’s Web Storage APIs. However, those trends still require developers to

prevent grammar injection-style attacks against queries built with JavaScript instead

of SQL. And developers must be more careful about the amount and kind of data

placed into the browser. As applications become more dependent on the browser for

computing, hackers will become as equally focused on browser attacks as they are

on web site attacks.

CHAPTER

Breaking Authentication

Schemes

5

Mike Shema

487 Hill Street, San Francisco, CA 94114, USA

INFORMATION IN THIS CHAPTER:

• Understanding the Attacks

• Employing Countermeasures

Passwords remain the most common way for a web site to have users prove their

identity. If you know an account’s password, then you must be the owner of the

account—so the assumption goes. Passwords represent a necessary evil of web secu-

rity. They are necessary, of course, to make sure that our accounts cannot be accessed

without this confidential knowledge. Yet the practice of passwords illuminates the

fundamentally insecure nature of the human way of thinking. Passwords can be easy

to guess, they might not be changed for years, they might be shared among dozens of

web sites (some secure, some with gaping SQL injection vulnerabilities), they might

even be written on slips of paper stuffed into a desk drawer or slid under a keyboard.

Keeping a password secret requires diligence in the web application and on the part

of the user. Passwords are a headache because the application cannot control what its

users do with them.

In October 2009 a file containing the passwords for over 10,000 Hotmail accounts

was discovered on a file-sharing web site followed shortly by a list of 20,000 creden-

tials for other web sites (http://news.bbc.co.uk/2/hi/technology/8292928.stm). The

lists were not even complete. They appeared to be from attacks that had targeted

Spanish-speaking users. While 10,000 accounts may seem like a large pool of vic-

tims, the number could be even greater because the file only provides a glimpse into

one set of results. The passwords were likely collected by phishing attacks—attacks

that trick users into revealing their username and password to people pretending to

represent a legitimate web site. Throughout this book we discuss how web site devel-

opers can protect their application and their users from attackers. If users are willing

to give away their passwords (whether being duped by a convincing impersonation

or simply making a mistake), how is the web site supposed to protect its users from

themselves?

To obtain a password is the primary goal of many attackers flooding e-mail with

spam and faked security warnings. Obtaining a password isn’t the only way into a

Hacking Web Apps. http://dx.doi.org/10.1016/B978-1-59-749951-4.00005-9

141

© 2012 Elsevier, Inc. All rights reserved.

142

CHAPTER 5 Breaking Authentication Schemes

victim’s account. Attackers can leverage other vulnerabilities to bypass authentica-

tion, from Chapter 2: HTML Injection & Cross-Site Scripting (XSS) to Chapter 3:

Cross-Site Request Forgery (CSRF) to Chapter 4: SQL Injection & Data Store Manip-

ulation. This chapter covers the most common ways that web sites fail to protect

passwords and steps that can be taken to prevent these attacks from succeeding.

UNDERSTANDING AUTHENTICATION ATTACKS

Authentication and authorization are closely related concepts.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.