WEBVTT 0:00:04.660000 --> 0:00:07.240000 authentication in web application. 0:00:07.240000 --> 0:00:11.580000 So welcome everyone to the first section of this course. 0:00:11.580000 --> 0:00:16.120000 We're going to be kicking off by getting an understanding or I should 0:00:16.120000 --> 0:00:20.460000 say revisiting authentication in web applications. 0:00:20.460000 --> 0:00:25.560000 And the objective of this section is to give you that introduction or 0:00:25.560000 --> 0:00:32.340000 a recap if you will of authentication and the role it plays in modern 0:00:32.340000 --> 0:00:33.880000 web applications. 0:00:33.880000 --> 0:00:41.140000 And so again by this point you probably are or may be an experienced web 0:00:41.140000 --> 0:00:43.600000 app, pen test or bug bounty hunter. 0:00:43.600000 --> 0:00:48.340000 And again this is something that you may want to skip over. 0:00:48.340000 --> 0:00:51.680000 However, I do recommend that you go through it because it's going to be 0:00:51.680000 --> 0:00:56.480000 quite important, especially as we progress in this course and we start 0:00:56.480000 --> 0:01:04.040000 exploring various forms or authentication mechanisms that go beyond the 0:01:04.040000 --> 0:01:10.400000 scope of maybe the stuff that you're accustomed to, namely JWT tokens 0:01:10.400000 --> 0:01:17.760000 etc. But the bottom line is this section or module of the course is there 0:01:17.760000 --> 0:01:22.800000 to essentially reintroduce you or introduce you to authentication in web 0:01:22.800000 --> 0:01:28.020000 applications and go over some of the important stuff that again I think 0:01:28.020000 --> 0:01:29.740000 is fairly important. 0:01:29.740000 --> 0:01:34.200000 So with that being said, let's get started and the best starting point 0:01:34.200000 --> 0:01:40.040000 is to understand or to get an understanding as to what authentication 0:01:40.040000 --> 0:01:44.280000 is. So let's start off generally speaking, right? 0:01:44.280000 --> 0:01:49.400000 So authentication is a fundamental process in cybersecurity and application 0:01:49.400000 --> 0:01:55.640000 security. And it's responsible for verifying the identity of users or 0:01:55.640000 --> 0:01:59.480000 systems attempting to access resources. 0:01:59.480000 --> 0:02:03.840000 Its primary purpose is to ensure that only legitimate users, that's the 0:02:03.840000 --> 0:02:09.580000 keyword legitimate, can access sensitive data systems or functionalities. 0:02:09.580000 --> 0:02:14.920000 More specifically, authentication in web applications or in websites, 0:02:14.920000 --> 0:02:19.980000 whatever you want to call them is the process of verifying a user's identity 0:02:19.980000 --> 0:02:25.780000 to ensure only legitimate users can access protected resources or resources 0:02:25.780000 --> 0:02:31.340000 that they are authorized to access, essentially establishing the foundation 0:02:31.340000 --> 0:02:33.820000 for secure interactions. 0:02:33.820000 --> 0:02:38.060000 Now I'll be using a couple of analogies to help you understand this. 0:02:38.060000 --> 0:02:42.740000 And that will sort of give you an idea as to why this section is important, 0:02:42.740000 --> 0:02:46.920000 especially if you haven't revisited authentication in quite a while. 0:02:46.920000 --> 0:02:50.320000 Again, I'm assuming you have some experience in web app testing. 0:02:50.320000 --> 0:02:58.020000 But the best way to think about it is just think of a room that is locked 0:02:58.020000 --> 0:03:02.140000 or that you can only access for a door, right? 0:03:02.140000 --> 0:03:09.000000 And the door has a locking mechanism that you can open with a key or a 0:03:09.000000 --> 0:03:11.600000 keypad, a biometrics, whatever. 0:03:11.600000 --> 0:03:17.420000 The bottom line is that the door in conjunction with the locking mechanism 0:03:17.420000 --> 0:03:21.920000 is what you consider authentication, right? 0:03:21.920000 --> 0:03:27.500000 And the authentication mechanisms, things like passwords, two-factor authentication 0:03:27.500000 --> 0:03:31.820000 are the locking mechanism that's part of the door. 0:03:31.820000 --> 0:03:37.300000 And their job is to ensure that only the individuals who are authorized 0:03:37.300000 --> 0:03:41.740000 to access the room or whatever is in the room can access the room and 0:03:41.740000 --> 0:03:43.340000 those who do not, i.e. 0:03:43.340000 --> 0:03:48.220000 those who don't have the key or do not have the correct biometrics, cannot 0:03:48.220000 --> 0:03:53.400000 access it. So this is sort of, you know, quite fundamental and very, very 0:03:53.400000 --> 0:04:00.800000 important. And again, you know, I'm sort of using or I'm taking a very 0:04:00.800000 --> 0:04:04.400000 basic approach and that's going to be important because authentication 0:04:04.400000 --> 0:04:08.020000 has evolved over the last, you know, 10 or 20 years. 0:04:08.020000 --> 0:04:11.900000 And it's important that we always go back to the route to understand what 0:04:11.900000 --> 0:04:14.680000 authentication is and what it's supposed to be. 0:04:14.680000 --> 0:04:18.900000 And then we'll start to see the link between authentication and, you know, 0:04:18.900000 --> 0:04:23.940000 session management and how those two play together, if you will, or how 0:04:23.940000 --> 0:04:25.320000 they come together. 0:04:25.320000 --> 0:04:31.340000 So hopefully that analogy, you know, sort of explained exactly what authentication 0:04:31.340000 --> 0:04:38.240000 is all about. But, you know, moving on a little bit, if you are a, you 0:04:38.240000 --> 0:04:41.680000 know, web app and test, or if you have some experience in testing web 0:04:41.680000 --> 0:04:45.200000 applications, you know, either on the offensive side or even securing 0:04:45.200000 --> 0:04:50.760000 them, you may have heard of authentication and authorization, right? 0:04:50.760000 --> 0:04:55.420000 Now, the reason why I'm sort of explaining these two or I'm trying to 0:04:55.420000 --> 0:05:01.020000 make the distinction between them is because these two usually get conflated. 0:05:01.020000 --> 0:05:04.980000 So in order for us to understand, you know, where to draw the line when 0:05:04.980000 --> 0:05:08.840000 we're talking about authentication and authorization, we need to define 0:05:08.840000 --> 0:05:11.840000 authorization in the context of web applications. 0:05:11.840000 --> 0:05:17.680000 So authorization in web applications is the process of determining what 0:05:17.680000 --> 0:05:23.100000 an authenticated user is allowed to do, such as accessing specific resources 0:05:23.100000 --> 0:05:25.940000 or performing certain actions. 0:05:25.940000 --> 0:05:32.000000 So returning to the door or the locked room analogy, let's assume you 0:05:32.000000 --> 0:05:35.120000 do have the key and you are allowed to access the room. 0:05:35.120000 --> 0:05:40.280000 Well, authorization essentially determines, for example, what you can 0:05:40.280000 --> 0:05:43.960000 do in the room. So where you can sit, what files you can access, stuff 0:05:43.960000 --> 0:05:48.800000 like that. So you may be able to get into the room, but what you can do 0:05:48.800000 --> 0:05:53.100000 within the room, again, we let's assume the room has filing cabinets or, 0:05:53.100000 --> 0:05:57.960000 you know, some data in there or let's say computers, authorization determines 0:05:57.960000 --> 0:06:04.720000 what you are, what you're allowed to do once you're authenticated. 0:06:04.720000 --> 0:06:11.680000 So simply put, authentication is about verifying who the user is, while 0:06:11.680000 --> 0:06:16.620000 authorization determines what an authenticated user is allowed to do. 0:06:16.620000 --> 0:06:20.200000 That's really the best way of differentiating between the two. 0:06:20.200000 --> 0:06:26.380000 And again, you'll see this quite often that, you know, even in it's also 0:06:26.380000 --> 0:06:30.440000 starting to become part of the nomenclature in web app pen testing or 0:06:30.440000 --> 0:06:34.880000 bug bounty hunting, that these two get conflated with with each other. 0:06:34.880000 --> 0:06:39.180000 Now you can obviously tell based on what I've told you that they are closely 0:06:39.180000 --> 0:06:41.420000 linked. And you know, that is true. 0:06:41.420000 --> 0:06:42.800000 However, they are different. 0:06:42.800000 --> 0:06:46.520000 And if you understand this distinction, I think it's going to help you 0:06:46.520000 --> 0:06:51.620000 a lot, not just within this course or certification, but also when performing 0:06:51.620000 --> 0:06:55.940000 your web app pen tests from a methodological point of view. 0:06:55.940000 --> 0:07:03.160000 Now, I've also noted here, you know, sort of reiterating the importance 0:07:03.160000 --> 0:07:05.640000 of understanding the difference between the two. 0:07:05.640000 --> 0:07:10.440000 So they're often used together or conflated with each other. 0:07:10.440000 --> 0:07:15.880000 But they serve distinct functions in security, more specifically web application 0:07:15.880000 --> 0:07:24.200000 security. So I also, you know, set out a table here that goes a bit beyond 0:07:24.200000 --> 0:07:32.240000 my basic or succinct explanation in the previous slide, where I use various 0:07:32.240000 --> 0:07:37.880000 criteria to help you understand how these two differ from one another. 0:07:37.880000 --> 0:07:42.100000 So the criteria are the, you know, the definition, obviously, the purpose. 0:07:42.100000 --> 0:07:47.920000 So what each of these is used for, what, you know, the goal is the process. 0:07:47.920000 --> 0:07:53.880000 So the processes involved in actually performing these tasks, the outcome 0:07:53.880000 --> 0:07:59.840000 and an example. So in the case of authentication, the definition is that, 0:07:59.840000 --> 0:08:03.900000 you know, it verifies the identity of a user or a system. 0:08:03.900000 --> 0:08:09.180000 In the case of authorization, it determines what an authenticated user 0:08:09.180000 --> 0:08:10.180000 is allowed to do. 0:08:10.180000 --> 0:08:13.740000 I explained this in the previous slide, but it's always good to hear stuff 0:08:13.740000 --> 0:08:16.100000 again. Now, what's the purpose? 0:08:16.100000 --> 0:08:19.860000 The purpose in the case of authentication is to establish who the user 0:08:19.860000 --> 0:08:22.680000 is. Right. So who are you? 0:08:22.680000 --> 0:08:27.020000 And then based on that, and we'll get into this in a later video, based 0:08:27.020000 --> 0:08:30.120000 on that, what are you able to access? 0:08:30.120000 --> 0:08:33.120000 And that you can see that that leads into authorization. 0:08:33.120000 --> 0:08:39.160000 So authorization specifies what resources and actions the user can access. 0:08:39.160000 --> 0:08:42.980000 Now, in terms of the process, and this is very important, when we talk 0:08:42.980000 --> 0:08:47.660000 about authentication, obviously, in the context of web applications, and 0:08:47.660000 --> 0:08:52.280000 even, you know, operating systems or computers in general, the process 0:08:52.280000 --> 0:08:55.460000 behind authentication involves checking credentials. 0:08:55.460000 --> 0:08:59.620000 Now, we'll, you know, we'll be exploring what type of authentication or 0:08:59.620000 --> 0:09:05.700000 the various authentication mechanisms and the various types of identifiers 0:09:05.700000 --> 0:09:09.080000 that can be used to again, facilitate authentication. 0:09:09.080000 --> 0:09:11.440000 But you know, it involves checking credentials. 0:09:11.440000 --> 0:09:15.500000 An example of this are passwords, tokens, etc. 0:09:15.500000 --> 0:09:20.020000 In the case of authorization, it does something a little bit different. 0:09:20.020000 --> 0:09:25.940000 So this involves checking permissions and roles against resources. 0:09:25.940000 --> 0:09:31.040000 And then the outcome, fairly obvious for authentication, is that it results 0:09:31.040000 --> 0:09:33.500000 in a confirmed identity. 0:09:33.500000 --> 0:09:39.400000 So if you do exist, or if you are if you are allowed, or if your credentials 0:09:39.400000 --> 0:09:43.680000 are correct, then you can access the room using the analogy I brought 0:09:43.680000 --> 0:09:48.840000 up earlier. So in the context of work application, you either get logged 0:09:48.840000 --> 0:09:54.240000 in, or, you know, you stay logged out for a plethora of reasons. 0:09:54.240000 --> 0:09:58.680000 In the case of authorization, the outcome results in granted or denied 0:09:58.680000 --> 0:10:02.140000 access to specific resources or actions. 0:10:02.140000 --> 0:10:08.200000 A good example or another analogy for, you know, the difference that sort 0:10:08.200000 --> 0:10:13.780000 of extos the difference, the key difference in terms of the outcome between 0:10:13.780000 --> 0:10:18.980000 authentication and authorization is, you know, logging in to, let's say, 0:10:18.980000 --> 0:10:22.620000 a website and trying to access the admin panel. 0:10:22.620000 --> 0:10:29.140000 Well, logging in is, you know, is the authentication phase. 0:10:29.140000 --> 0:10:33.020000 And then trying to access specific resources is where authorization comes 0:10:33.020000 --> 0:10:39.880000 into play. And the outcome, or rather the process that typically follows 0:10:39.880000 --> 0:10:42.920000 under authorization is, okay, you're logged in. 0:10:42.920000 --> 0:10:47.140000 But let me check and see whether you are actually allowed to access the 0:10:47.140000 --> 0:10:51.000000 admin panel. And then based on your role or permissions that have been 0:10:51.000000 --> 0:10:55.660000 assigned to your account, you are then able to either access the admin 0:10:55.660000 --> 0:10:59.580000 panel or not. So authorization is very, very important. 0:10:59.580000 --> 0:11:03.240000 But, you know, both of these work in tandem. 0:11:03.240000 --> 0:11:08.920000 So authorization typically comes into play, you know, after a user successfully 0:11:08.920000 --> 0:11:11.740000 authenticated. But that's not always the case. 0:11:11.740000 --> 0:11:18.060000 Because remember, authorization can also involve, you know, checking whether 0:11:18.060000 --> 0:11:23.200000 the user is logged in before granting access to a specific file or a specific 0:11:23.200000 --> 0:11:24.840000 area within a website. 0:11:24.840000 --> 0:11:27.780000 So they are very closely linked. 0:11:27.780000 --> 0:11:30.560000 And it's very important you understand this. 0:11:30.560000 --> 0:11:36.200000 This very, very nuanced differences between the two. 0:11:36.200000 --> 0:11:40.080000 And of course, an example here in the case of authentication is logging 0:11:40.080000 --> 0:11:42.420000 in with a username and password. 0:11:42.420000 --> 0:11:47.540000 And then, in the case of authorization, determining if the logged in user 0:11:47.540000 --> 0:11:51.240000 can access a resource, the resource can be anything at all. 0:11:51.240000 --> 0:11:55.240000 But, you know, I think you're starting to get an understanding of the 0:11:55.240000 --> 0:11:57.120000 difference between the two. 0:11:57.120000 --> 0:12:01.220000 Finally, you know, that brings us to the importance of authentication, 0:12:01.220000 --> 0:12:03.660000 right? And we'll see this as we progress. 0:12:03.660000 --> 0:12:07.800000 But authentication, as you've been able to tell, if you didn't already 0:12:07.800000 --> 0:12:13.640000 know, is crucial for web application security and security in general, 0:12:13.640000 --> 0:12:18.460000 because it serves as the first line of defense against unauthorized access 0:12:18.460000 --> 0:12:22.920000 to sensitive data, resources and functionalities. 0:12:22.920000 --> 0:12:28.700000 By confirming identities, by confirming user identities, authentication 0:12:28.700000 --> 0:12:34.300000 helps protect against data breaches, account take, account takeovers and 0:12:34.300000 --> 0:12:38.080000 other security threats that, again, will be looking at or taking a look 0:12:38.080000 --> 0:12:43.020000 at in this course, essentially ensuring that only legitimate users can 0:12:43.020000 --> 0:12:47.520000 interact with restricted areas of the application. 0:12:47.520000 --> 0:12:53.940000 So, bottom line is that authentication is very, very important in modern 0:12:53.940000 --> 0:12:56.140000 web applications for obvious reasons. 0:12:56.140000 --> 0:12:58.520000 This is something that I'm sure you're aware of. 0:12:58.520000 --> 0:13:03.320000 Everyone logs into a website, but you need to actually understand the 0:13:03.320000 --> 0:13:11.800000 logical, segregation, at least in the case of this video, between authentication 0:13:11.800000 --> 0:13:16.500000 as a process and what the outcomes are and authorization. 0:13:16.500000 --> 0:13:21.820000 So, you need to understand that when you cannot access the admin panel, 0:13:21.820000 --> 0:13:24.480000 it has nothing to do with authentication. 0:13:24.480000 --> 0:13:27.740000 It has everything to do with authorization. 0:13:27.740000 --> 0:13:32.880000 And this, the reason why I'm sort of emphasizing this is because this 0:13:32.880000 --> 0:13:37.640000 is usually what separates, an average web app investor from a good one 0:13:37.640000 --> 0:13:43.280000 is being able to understand and to describe exactly what a vulnerability 0:13:43.280000 --> 0:13:48.760000 is, or, again, vice versa, looking at a vulnerability and being able to 0:13:48.760000 --> 0:13:52.180000 tell that's an authorization vulnerability. 0:13:52.180000 --> 0:13:55.960000 And, again, likewise, that's an authentication vulnerability. 0:13:55.960000 --> 0:14:00.600000 So, I'm sort of trying to give you a framework for approaching web application 0:14:00.600000 --> 0:14:02.440000 penetration testing as a whole. 0:14:02.440000 --> 0:14:08.420000 But in the case of this course, authentication attacks specifically, with 0:14:08.420000 --> 0:14:11.460000 that being said, that's going to be it for this video. 0:14:11.460000 --> 0:14:13.680000 And I'll be seeing you in the next video.