AuthN & AuthZ testing: it’s not only about the login form

Transcript

1. KYIV 2019 AuthN & AuthZ testing: it’s not only about

   the login form QA CONFERENCE #1 IN UKRAINE

2. Agenda What’s the difference Authentication and its spectrum Authorization and

   OAuth 2.0 Identity and Access Management (IAM) and Keycloak Conclusions and trivia quiz

3. Work at Very Good Security Organize QA Club Lviv Write

   on Medium About me

4. To stop confusing it It’s everywhere... and probably in your

   product You were asked to test a login form at an interview Why do we talk about it?

5. It’s about security

6. A2:2017-Broken Authentication (AuthN) A5:2017-Broken Access Control (AuthZ) OWASP TOP 10

   (2017)

7. OWASP API Security TOP 10 (2019) A1: Broken Object Access

   Level Control (AuthZ) A2: Broken Authentication (AuthN)

8. Even big companies fu*k up: Apple

9. Even big companies fu*k up: Reddit

10. How to distinguish?

11. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you

    are and what you can do

12. Boring theory Authentication is the process of ascertaining that somebody

    really is who they claim to be. Authorization refers to rules that determine who is allowed to do what.

13. Authentication (AuthN)

14. Authentication In contrast with identification, the act of indicating a

    person or thing's identity, authentication is the process of verifying that identity.

15. AuthN spectrum - Passwords - Cookies - Single Sign-On -

    Restrict Where and When Users Can Log In - Two-Factor Authentication - Certificate-Based Authentication - Network-based security

16. AuthN factors

17. MFA (Multi-factor authentication) Involves two or more authentication factors (something

    you know, something you have, or something you are)

18. MFA: phone-based methods - Push-based - QR code based -

    One-time password (OTP) ◦ event-based ◦ time-based - SMS-based verification => avoid it!

19. MFA: phone-based methods - Push-based - QR code based -

    One-time password (OTP) ◦ event-based ◦ time-based - SMS-based verification Reddit issue

20. Biometric AuthN

21. None
22. None

23. Single Sign-On (SSO) - Reduces password fatigue - Reduces IT

    costs - Less time spent re-entering passwords - Mitigates risk for access to 3rd-party sites

24. AuthN security

25. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel

    2. Default credentials 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10. Weaker authentication in alternative channel

26. OWASP Testing Guide 1. Credentials Transported over an Encrypted Channel

    2. Default credentials Apple issue 3. Weak lock out mechanism 4. Bypassing Authentication Schema 5. Vulnerable Remember Password 6. Browser cache weakness 7. Weak password policy 8. Weak security question/answer 9. Weak password change or reset functionalities 10. Weaker authentication in alternative channel

27. Rainbow tables attack Huge databases of precomputed hashes User Password

    Password hash (SHA1) Alice password 5baa61e4c9b93f3f0682250b6cf8331b 7ee68fd8 Bob qjnN@*)!bsk dd3fb7f5e7e0b00e0794f0c73d5f3ba5 7197be24 Carrie my_p@s$w0rd! 700c311f7fe171eca2d0bc8f1e13bfa28 8944539 James qwerty123 5cec175b165e3d5e62c9e13ce848ef6f eac81bff

28. Useful links OWASP cheat sheet http://bit.ly/2NuEqEq Have I been pwned

    https://haveibeenpwned.com/ Great self-security checklist from Volodymyr Styran https://github.com/sapran/dontclickshit

29. Authorization (AuthZ)

30. Authorization Authorization is the function of specifying access rights/ privileges

    to resources
31. None

32. Access control mechanisms - Attribute-based access control (ABAC) - Role-based

    access control (RBAC) - User-based access control (UBAC) - Rule-based access control - Time-based access control ...and a lot more

33. RBAC

34. None

35. OAuth 2.0

36. OAuth 2.0 It’s an authorization delegation protocol, letting someone who

    controls the a recourse allow a software application to access that resource on their behalf without impersonating them. It enables a third-party application to obtain limited access to an HTTP service.

37. OAuth 2.0 is ...about how to get the token and

    how to use the token ...replaces the password-sharing antipattern with a delegation protocol that’s simultaneously more secure and more usable ...focused on a small set of problems and solving them well
38. None

39. Tokens Access token - indicates the rights that the client

    has been delegated. Have an option to expire automatically Refresh token - get new access token without asking for authorization again.
40. None

41. Tokens Bearer token - anyone who carries the token has

    the right to use it.

42. Scopes A set of rights at the protected resource. Scopes

    always limit what an app can do on behalf of a user https://auth0.com/blog/on-the-nature-of-oauth2-scopes/
43. None

44. AuthZ security

45. OWASP Testing Guide 1. Directory traversal/file include 2. Bypassing Authorization

    Schema 3. Privilege escalation 4. Insecure Direct Object References (IDOR)

46. Useful links OWASP http://bit.ly/31Zo4Hz and http://bit.ly/2MI6NPV OAuth 2.0 security spec

    http://bit.ly/2P95zyR IDOR testing http://bit.ly/2P95Bqt

47. AuthN + AuthZ = IAM (Identity and Access Management)

48. Access Management Authentication • Single Sign-On • Session Management •

    Password Service • Strong Authentication Authorization • Role-Based • Rule-Based • Attribute-Based • Remote Authorization User Management • Delegated Administration • User and Role Management • Provisioning • Password Management • Self Service Central User Repository • Directory • Data Synchronization • Meta Directory • Virtual Directory Identity Management Identity and Access Management (IAM): Providing the right people with the right access at the right time

49. IAM best practices - Immutable Private Identifiers / Mutable Public

    Identifiers - Decouple Biometrics from other PII - Externalize Access Control Rules - Self-Expressive Credentials - Privilege Accounts are a Different Species https://medium.facilelogin.com/ten-iam-design-principles-57351b6c69b2

50. Practice time!

51. Try on your own Keycloak https://www.keycloak.org/docs/latest/getting_started/index.html

52. None
53. None

54. Conclusions

55. Authentication (AuthN) Is it really you? Authorization (AuthZ) Who you

    are and what you can do
56. None

57. Conclusions For better understanding dig into system Use heuristics to

    remember smth Use cheat sheets and don’t trust your memory Update your passwords and turn on MFA today

58. Practice before the next interview

59. Testing challenges http://testingchallenges.thetestingmap.org/index.php

60. Use `big list of naughty strings` https://github.com/minimaxir/big-list-of-naughty-strings/

61. Thanks! facebook.com/qaclublviv verygoodsecurity.com @diana_pinchuk @pinchuk.diana