1 00:00:00,070 --> 00:00:06,360 Well let's talk about broken authentication which is second in the list for the top 10. 2 00:00:06,360 --> 00:00:09,900 Now if you want to go to this page I will link and down in the references. 3 00:00:09,900 --> 00:00:13,590 Or you could just go to Google and say Oh what's broken authentication. 4 00:00:13,590 --> 00:00:16,190 And it should be the first one that pops up. 5 00:00:16,260 --> 00:00:22,120 So when we talk about broken authentication there's a lot of different attacks here. 6 00:00:22,200 --> 00:00:28,410 And if we look at the is the application vulnerable I kind of just want to talk through this and some 7 00:00:28,410 --> 00:00:30,890 of these are going to be very familiar to you. 8 00:00:30,900 --> 00:00:38,440 So when we talk about authentication and we're talking about how can we get access to this application. 9 00:00:38,580 --> 00:00:38,880 Right. 10 00:00:38,910 --> 00:00:41,670 And how can we authenticate to the device. 11 00:00:41,730 --> 00:00:45,200 Now there is a bunch of different options here. 12 00:00:45,210 --> 00:00:51,750 If we go down the list now it says does it permit attacks such as credential stuffing. 13 00:00:51,750 --> 00:00:55,980 So can we just supply a valid list of usernames and passwords and gain access. 14 00:00:55,980 --> 00:00:57,730 You've seen that in the past. 15 00:00:57,810 --> 00:01:03,030 And when you're talking against a web application that's considered broken authentication doesn't allow 16 00:01:03,030 --> 00:01:04,490 brute force attacks. 17 00:01:04,500 --> 00:01:07,490 So there should be some sort of a rate limiting that's happening. 18 00:01:07,680 --> 00:01:15,600 If we are giving a brute force attack to a Web site or for conducting a brute force attack and we are 19 00:01:15,600 --> 00:01:22,320 able to submit hundreds upon hundreds upon hundreds of request then that's an issue. 20 00:01:22,320 --> 00:01:23,660 Right. 21 00:01:23,790 --> 00:01:32,520 And that is going to cause a situation where we are able to log in with an account given enough time. 22 00:01:32,520 --> 00:01:37,100 Another thing is it says does it permit default weak or well-known passwords. 23 00:01:37,110 --> 00:01:40,480 Well Admin Admin is such a real thing. 24 00:01:40,500 --> 00:01:46,650 If you encounter a Web site and you find a log in Portal you should be looking for something like admin 25 00:01:46,680 --> 00:01:52,620 admin or you should be looking for default credentials if it's something that is a well-known service 26 00:01:52,620 --> 00:01:59,130 something like for example Apache Tomcat which you saw in earlier video where we log in with default 27 00:01:59,130 --> 00:02:05,820 credentials in the next video we're going to talk about the next one which is using weak or ineffective 28 00:02:05,820 --> 00:02:09,350 credential recovery or forgot password processes. 29 00:02:09,570 --> 00:02:17,010 And this is where if you have the forgot password process you go there and maybe something like on the 30 00:02:17,010 --> 00:02:20,870 screen is the question for the user or the question that they're going to ask. 31 00:02:20,880 --> 00:02:26,640 And we see this a lot and it's just bad practice because that might be guess of all like What street 32 00:02:26,640 --> 00:02:27,600 did you grow up on. 33 00:02:27,840 --> 00:02:33,120 Well you know there's only so many streets that we can pick out there or if we do a little bit of research 34 00:02:33,180 --> 00:02:38,730 on this person guess what we can probably figure out where they grew up what street they grew up on 35 00:02:39,150 --> 00:02:41,000 and narrow it down. 36 00:02:41,400 --> 00:02:47,740 So you know this is just repetition here on a lot of this stuff skipping down a bit. 37 00:02:47,760 --> 00:02:53,370 Does the Web site have multi factor authentication meaning if we do credential stuffing and we do log 38 00:02:53,370 --> 00:02:58,380 in as the user is it going to block us once we log in with multi factor and say hey we need something 39 00:02:58,380 --> 00:03:04,980 else from you or is it just gonna let us in and other things it's asking about does it expose session 40 00:03:05,010 --> 00:03:11,220 I.D. in the URL so sometimes your session I.D. or your cookie is going to be in your your URL which 41 00:03:11,220 --> 00:03:12,600 is not good. 42 00:03:12,630 --> 00:03:16,830 It's not best practice and it will it rotate your session I.D.. 43 00:03:16,830 --> 00:03:22,100 So what happens is when you log in you should get a session I.D.. 44 00:03:22,440 --> 00:03:25,910 And it should rotate some Web sites when you go to the Web site. 45 00:03:25,910 --> 00:03:31,590 It gives you a session I.D. and then you log in and then it rotates you log out and it rotates. 46 00:03:31,590 --> 00:03:37,450 Some other Web sites you log in in the session I.D. stays the same. 47 00:03:37,590 --> 00:03:40,870 And you log out in the session I.D. stays the same. 48 00:03:40,890 --> 00:03:43,650 That is what's called session fixation. 49 00:03:43,650 --> 00:03:46,010 And that could get really dangerous as well. 50 00:03:46,650 --> 00:03:54,600 And so just looking over these it's all dealing with authentication issues and that's it's a big bucket 51 00:03:54,600 --> 00:04:01,580 of things that it could fall into and for this one we're not going to talk prevention in a separate 52 00:04:01,580 --> 00:04:02,490 video. 53 00:04:02,510 --> 00:04:08,330 We're just gonna talk prevention kind of as we go in through this but you know you should be checking 54 00:04:08,330 --> 00:04:09,430 your Web site. 55 00:04:09,440 --> 00:04:12,160 You should have multi factor authentication right. 56 00:04:12,170 --> 00:04:14,850 You shouldn't be using weak credentials. 57 00:04:14,900 --> 00:04:18,110 You should be rotating your session I.D.. 58 00:04:18,110 --> 00:04:22,850 A lot of this is kind of like common sense but it's over a thought or overlooked. 59 00:04:22,850 --> 00:04:25,660 I should say when developing applications. 60 00:04:25,670 --> 00:04:27,630 So these are just easy wins for us. 61 00:04:27,650 --> 00:04:33,100 You should have a you know rate limiting when you're doing brute force attacks or you should have like 62 00:04:33,110 --> 00:04:39,230 a captcha on there or something that will prevent me from attacking your Web site or your log in over 63 00:04:39,230 --> 00:04:40,810 and over and over. 64 00:04:41,060 --> 00:04:43,640 You should not be allowing wi credentials. 65 00:04:43,640 --> 00:04:45,720 You should be doing checks for those. 66 00:04:45,860 --> 00:04:51,780 You should have you know just preventative measures in place for all of these sorts of attacks. 67 00:04:51,980 --> 00:04:59,030 And for reference this is great down here again the cheat sheets on different things and different types 68 00:04:59,030 --> 00:05:04,880 of attacks in here session fixation you could see actually in my history because I navigate to this 69 00:05:04,880 --> 00:05:05,990 quite a bit. 70 00:05:05,990 --> 00:05:07,790 This is one that we find quite a lot. 71 00:05:07,790 --> 00:05:09,830 And we'll cover this one gets the reporting section. 72 00:05:09,830 --> 00:05:10,880 So keep that in mind. 73 00:05:10,900 --> 00:05:17,230 Again we'll all have a great example of session fixation for you in the reporting section. 74 00:05:17,270 --> 00:05:23,810 So from here we're going to go into a how to video it when we're just to talk about testing for it and 75 00:05:23,810 --> 00:05:25,830 looking for broken authentication. 76 00:05:26,000 --> 00:05:30,320 And I'm going to talk about some minor findings that we might encounter as well and how we're going 77 00:05:30,320 --> 00:05:32,980 to look for those and just how we would test for this. 78 00:05:32,980 --> 00:05:37,340 More so than how or or the vulnerabilities that are there. 79 00:05:37,340 --> 00:05:39,490 And I'll explain that next video why we're doing that. 80 00:05:39,650 --> 00:05:42,650 So I'll catch you over the next video and we start testing for broken authentication.