Input Validation and Authentication

Questions and Answers

What is the primary goal of input validation?

• To consider all user input as potentially malicious. (correct)
• To allow the application to trust all user data.
• To speed up the application's processing time.
• To ensure users can input any data they want.

Which input validation technique lists out what is invalid, and blocks it?

• Redlist validation
• Blacklist validation (correct)
• GreyList validation
• Whitelist validation

Why is it extremely difficult to implement blacklist validation effectively?

• Blacklists require constant updates.
• Blacklists are too short to be useful.
• It's impossible to predict every possible malicious input. (correct)
• Maintaining a blacklist is expensive.

Which of the following is the primary characteristic of whitelist validation?

Allowing only what is explicitly permitted. (A)

When are regular expressions (regex) a good choice for input validation?

When inputs are complex, requiring more sophisticated validation logic. (D)

In the context of input validation, what does 'defense-in-depth' mean?

Applying multiple layers of validation at different points. (D)

What is the purpose of 'attack surface reduction'?

To minimize the amount of code and functionality accessible to untrusted users. (C)

What is the 'principle of least privilege' in the context of attack surface reduction?

Granting users the minimum permissions necessary to perform their tasks. (C)

How does deactivating features contribute to attack surface reduction?

It reduces the number of potential vulnerabilities. (B)

What does it mean to say that an untrusted input is 'attacker controllable'?

The input can be manipulated by a malicious user. (B)

What is the MOST LIKELY consequence of failing to validate data pulled from a database?

Compromise due to a vulnerability if the database data's origin is untrusted. (A)

What are the two fundamental steps involved in authentication?

Identification and Confirmation (A)

What does authentication primarily confirm?

If a user is who they claim to be. (C)

In access control, what is the purpose of 'authorization'?

To determine what a validated identity can access. (A)

Which of the following is an example of authentication based on 'something you have'?

A security token (C)

What is a key drawback of using biometrics for authentication?

Sensors can be expensive. (B)

What is the definition of multi-factor authentication?

Using multiple authentication factors from different categories. (D)

Why is using multiple factors from the same class is not considered a true multi-factor authentication?

It does not increase the factors. (C)

What is the most common method for authenticating users to web applications?

Usernames and passwords (C)

Which of the following is a primary benefit of Single Sign-On (SSO)?

Reduced number of credentials for users to manage. (C)

What is a significant weakness of Basic HTTP authentication?

It transmits credentials in plaintext or easily decoded form. (B)

What potential security risk is introduced by implementing custom authentication systems?

Implementation flaws that bypass security measures. (D)

What is a common method to defend against online password attacks?

Enforcing account lockout after multiple failed attempts. (B)

An application stores passwords by hashing them with the extremely fast MD5 algorithm, and does not implement salting. What kind of attack is MOST concerning in this scenario?

A rainbow table attack (A)

A software development team stores passwords using bcrypt with a cost factor of 6. While this algorithm is key derivation function, it's still vulnerable to brute force attacks. The team, recognizing this, implements dynamic account lockout where after 3 invalid login attempts, the lockout period doubles. Assuming the initial lockout period is 1 second, how long after the seventh failed login attempt will the attacker have to wait to try another password?

16 seconds (A)

Flashcards

Input Validation

Ensuring user-supplied data meets specific criteria before processing.

Blacklist Validation

Listing inputs that are not allowed and preventing them from being processed.

Whitelist Validation

Listing and only allowing inputs that match approved entries.

Regular Expression

Matching input against patterns using special characters and syntax.

Authentication

Verifying users are who they claim to be.

Access Control

A system that regulates access to data or functionality.

Authentication

The process of proving that you are who you claim to be.

Authorization

Determining if a validated identity has the rights to access certain data.

Attack Surface Reduction

A defense strategy to reduce the points of potential compromise in a system.

Principle of Least Privilege

Granting users only the minimum permissions necessary.

Two-Factor Authentication (2FA)

Using factors from two different categories for authentication.

Three-Factor Authentication (3FA)

Using factors from each of the three categories for authentication.

Username and Password Authentication

A standard method for authenticating users to applications.

Single Sign-On (SSO)

Enables a user to log in once and gain access to multiple systems.

Secure Error Message Handling

Fails securely, reveal nothing sensitive, prevent abuse, correct gracefully.

Something you are

Base authentication on something intrinsic to the principal.

Email verification Best Practice

Account verification is essential to the security of modern applications.

HTTP Cookie

A value stored in user's web browser, retains state across requests.

Session ID validation

Validate session ID at every request.

Account Lockout

Security measure that temporarily blocks access after multiple failed login attempts.

Study Notes

• Input validation and authentication are vital security measures
• Dr. Alia Alabdulkarim prepared the content

Input Validation

• Never trust user input; consider it potentially harmful until validated
• Applications are created because users are the reason we create applications
• Emails and credit card data are examples of user inputs
• Validate user inputs, even if users trust applications for security from spam, etc.
• Two types of input validation approaches exist, "Blacklist validation" and "Whitelist validation"

Blacklist Validation

• A blacklist identifies invalid inputs and blocks anything matching the list
• Creates a list of possible unwanted malicious inputs
• Listing every possible unwanted or malicious input value is extremely difficult
• Blacklists will change over time

Blacklist Example - Restaurant Dress Code

• A restaurant dress code is presented as an example
• Listing all possible inappropriate clothing is challenging when creating a blacklist

Blacklist Failure Points

• Blacklisting is more difficult when preventing access to certain files or URLs
• The page being considered is www.site.cxx/my page.html
• Listing all possible ways to encode an apostrophe is an example of this difficulty

Whitelist Validation

• A whitelist lists out and matches only what should be allowed
• Any input not matching the whitelist is rejected

Whitelists and Input Types

• Drop-down lists or radio buttons indicate a type of validation
• Input must still be validated
• Car configuration applications give exterior paint color options of Midnight Blue, Sunset Red, and Canary Yellow
• The validation logic compares user input against the list of the 3 options
• Entering Shimmering Silver will cause a crash because it is not a valid option

Whitelist Security

• It is impossible to defend server-side logic by implementing defenses on the client side
• Validation logic on the client side can be bypassed
• Attackers can bypass user input constraints set by user interface objects like dropdown lists

Regular Expressions (Regex)

• Regular expressions check the incoming value against a predefined list to validate a choice
• Regular expressions are not usable for all inputs; for example, email addresses can not be checked
• Regular expressions are methods for whitelist validation logic for more complicated applications
• The expressions check all possible input, instead of checking against a predefined list
• Client-side validation improves performance
• It is recommended to re-use regular expressions that other people have created

Standard Expressions

• Regex includes email expressions such as ^[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,63}$
• Regex also includes date expressions such as ^(19|20)\d\d- /.- /.$

Attack Surface Reduction

• Attack surface = choke points = points of failure
• Attack surface includes application code, and functionality accessed by any untrusted user
• Attack surface is all of your application code and functionality
• Adding a new feature adds a potential point of failure in your application
• User features should be optional to activate or deactivate
• Known attacks effective defense, and a hedge against zero day is reducing the attack surface

Rules of Thumb

• Use "principle of least privilege"
• Grant users minimum permissions
• Authorization checks should be performed
• Use different access accounts to administer different types of users
• Minimize the different programming calls, and objects in code
• DataSets should be minimized to DataTable objects

Validation Best Practices

• Input validation and attack surface reduction are vital security practices by themselves

Authentication

• The process of proving that you are who you claim to be

Access Control Overview

• In web applications it must be ensured that users may only access protected assets
• A strong access control system is needed
• Access control is a mechanism regulating access to data or functionality

Definitions

• "Subject" is the person or thing doing something
• "Object" is the recipient or target of that action or the thing that is being requested
• There are 2 parts, first to prove their identity, and then to check if they should have access
• "Authorization" determines if the validated identity has rights to do what they want
• "Authentication" confirms their identity, such as username/password

Process

• Claim to be a certain identity by providing an identifier
• Prove that identity by providing an authentication factor
• Verification through the identity datastore
• If proven, a persistent authentication token is returned to the user

Authentication steps

• Identification and authentication (confirmation are the two steps
• Without authentication, authorization is not possible, and vice versa

Proving Identity

• Authentication classes are, something you know, something you have, and something you are

• Something you know

  • Passwords, PINs, passphrases

• Something you have

  • Digital certificates, smart cards

• Something you are

  • Fingerprint, hand geometry, topography of your face

Factors

• "Something" you know may be forgotten
• Easy passwords may be guessed
• Forgotten/compromised password reset mechanism must be provided
• "Something" "You have" now must constantly be with you
• Objects might be stolen
• "Something" "you are" must be intrinsic
• Biometric sensors are fairly expensive
• 2FA (2 factor authentication) utilizes 2 of the 3 authentication methods
• 3FA (3 factor authentication) utilizes all 3 authentication methods
• 2SV (2 step validation) using factors from one category
• More factors from the same class does not increase factors validated

Authentication Methods

• Usernames and passwords authenticate users to web applications
• Secondary factor such as hardware token may be used to increase authentication security
• The use of biometrics is almost unheard of for web applications

Password Based Systems

• Multiple username/password systems exist for web apps
  • Built-In HTTP, Single Sign On, and Custom authentication

Built in HTTP Authentication

• Basic access authentication supports no encryption
• It uses base64 encoding, and is easily decoded
• Digest access authentication uses MD5
• Digest access authentication is vulnerable to Man-In-The-Middle attacks (MIM)
• Basic access and Digest access authentication have significant weaknesses, and are not recommended in any circumstances

Single Sign On (SSO)

• Internet SSO allows users to log in to a single interface
• The user can independently secures systems, with one set of credentials

Google Accounts

• With it, the user can access Gmail, Drive, and YouTube

Microsoft's Live ID (Example)

• When logging on, you can use it to access Windows Live Hotmail, and Windows Live Messenger

Facebook Connect System (Example)

• This API allows third-party developers to use the authentication system on their own sites
• SSO pros include reduced number of credentials
• SSO cons include a single-point of failure and it is compromised, many websites are then compromised

Custom Authentication

• It is the most common authentication method
• The logic is coded into custom made applications
• Input validation is performed by the developer

Validating Credential

• There are several ways to validate
• It depends on location of the comparison, and how the passwords are being stored
• The comparison can be plaintext, or it can be hashed
• Hashes are stored on both the application and the database level
• Incorrect storage implementation can lead to SQL injections

Hashed Password example

• The $hashedPassword is the version of $userPassword that has been hashed, not the plaintext password

##Securing Password-Based Authentication

• It is the most popular way of confirming identity
• Attackers can attempt to break into these
• The best plan it to defends against attacks

Attacks

• Attacks are all attempts to guess login credentials
• They are present on the live system or on hashed/encrypted passwords
• The forms the attacks may come in are:
  • Dictionary attacks
  • Brute-force attacks
  • Pre-computed dictionary attacks
  • Rainbow tables
  • Rubber hose attacks
  • Videos

Password Complexity

• Main goal is to increase the key space (domain) by making it harder to guess passwords
• To make it difficult, it has to make it take as long as possible to exhaustively search the potential key space
• Increase the minimum length, use mixed character sets, and change them regularly

Password Practices

• Require password complexity. It should be a minimum of eight characters

• Enforce a "minimum password complexity" to include uppercase, lowercase, number, special character

• Proper storage is [plaintext – encrypted – hashed]

Authentication Best Practices

• It plays a fundamental role in access control
• There are things worth exploration
• "When" and "where" does authentication take place
• How can authentication mechanisms be more secure

Secure Practices

• Validate the cookie with every request
• Code should execute and authorize "every" request
• When privileges increase, update the cookie and issue the cookie again
• Amazon (before you place your order) is an example of re-authentication
• Always do it the "first" time you are challenged to gain access to protected resources

Web Authentication

• The transmission has to be secured through Secure Sockets Layer/Transport Layer Security

Account Lockout

• It should be offered after "X" amount of attempts
• It acts as a security measure against users attempting to gain access to your password via online password
• The time the account can be in this blocked state can also be customized

General Strategies

• Do not hard-code values, and the recommendation is to secure keys and credential with system access
• "Avoid remember me", provide it, but make sure remember a default for security reasons