week02

Authentication

• Verifying that your identity is authentic
• Factors of authentication are something you
  • Know (e.g. Password)
  • Are (e.g. Biometric)
  • Have (e.g. Hardware Key + Cookie)
• Status Code 401 Unauthorized
  • When no valid authentication is sent

Authentication

Cookies

• Cookies are used for session persistence
• Usually authentication data + other data
  • Session
  • Authentication Token
  • Ad tracking (still identification)
• Set (and stored) by the server and sent to the client
• Stored by the client and sent to the server
• Target for hackers, why?

Authentication

How 2 Hax Cookies

• Cookies are used as authentication
• Can be stolen using:
  • Cross-site scripting (XSS)
  • MITM attacks
  • Cross-site request forgery (CSRF)
• Can be forged (baked)
  • Poor implementation (e.g. incremental/plaintext)
  • Unsigned

Authentication

Protecting The Cookie Jar

• Expiry
• HttpOnly (prevents XSS)
• Secure (prevents MITM)
• SameSite (prevents CSRF)

Authorization

• Controlling who has access to what (policy)
• Principle of least privilege
• Used with authentication to restrict access
• Status Code 403 Forbidden

IDOR

Insecure Direct Object Reference Vulnerability

• Examples of an object
  • Users
  • Pages
  • Groups
• Attackers can access/modify objects
• Can be exploited when lacking authn/authz
• Often due to deterministic ids

Preventing IDOR

• Use non-deterministic ids (e.g. UUIDs)
• Strong authorisation policies
  • Restrict access
  • Constantly verify