week02

Authentication

• Verifying that your identity is authentic
• Factors of authentication are something you
  • Know (e.g. Password)
  • Are (e.g. Biometric)
  • Have (e.g. Hardware Key)
• Status Code 401 Unauthorized
  • When no valid authentication is sent (yes i know it says unauthorized…)

Passwords

• Hashing
  • One way function
• Salting
• Just use argon2 (or bcrypt)

MFA

Multi-factor Authentication

• TOTP
  • QR Code

Cookies

• Cookies are used for session persistence
• Usually authentication data + other data
  • Session
  • Authentication Token
  • Ad tracking (still identification)
• Set (and usually stored) by the server and sent to the client
• Stored by the browser and sent to the server in future requests
• Target for hackers, why?

How 2 Hax Cookies

• Cookies are used as authentication
• Can be stolen using:
  • Cross-site scripting (XSS)
  • MITM attacks
• Can be forged (baked)
  • Poor implementation (e.g. incremental/plaintext)
  • Unsigned
• Poor cookie protection can be used using:
  • Cross-site request forgery (CSRF)

Protecting The Cookie Jar

Cookie Settings

• Expiry
• HttpOnly (prevents XSS)
• Secure (prevents MITM)
• SameSite (prevents CSRF)

OAuth 2.0

Standard to grant authorization to Application A to access resources on Application B

OAuth 2.0

• Examples:
  • Google, Github, Discord
• Able to be scoped to adhere to principal of least privilege
• Allows for Application A to access resources you control on Application B without your password
• Doesn’t inherently provide authentication
  • OIDC builds on OAuth 2.0 to provide authentication.

OAuth 2.0 Flow

IDOR

Insecure Direct Object Reference Vulnerability

• Examples of an object
  • Users
  • Pages
  • Groups
• Attackers can access/modify objects
• Can be exploited when lacking authn/authz
• Often due to deterministic ids

Preventing IDOR

• Use non-deterministic ids (e.g. UUIDs)
• Strong authorisation policies
  • Restrict access
  • Constantly verify authZ/N