Web Application Security [203105509]

Manojkumar H. Radadiya
Techdefence Labs
 UNIT-4

Advance Web Application Attacks-1

Outline
❑ Anatomy of an XSS Exploitation
❑ Reflected XSS
❑ Persistent XSS
❑ DOM based XSS
❑ Browsers and XSS
❑ Blocking malicious request
❑ user enumeration
❑ random password guessing
❑ remember me functionality
❑ no limit attempts
❑ password reset feature
❑ logout flaws
❑ CAPTCHA @Manojkumar H. Radadiya
 Anatomy of an XSS Exploitation
❑ Cross site scripting (XSS) is a type of attack in which the
attacker injects malicious scripts into web-pages belonging to
legitimate web-sites.
❑ Scripts are programs or lines of code that are interpreted by
another program (in this case a web browser).
❑ They enable web browsers to present a dynamic behavior.
❑ XSS attacks involve the exploitation of a vulnerability on a
web server or web application to send malicious client-side
scripts to the unsuspecting user.

@Manojkumar H. Radadiya
❑ The victim's browser will believe that the script is trusted and will
therefore execute it, granting the attacker access to any session
tokens, cookies, and other sensitive information retained by the
browser for that particular site.
❑ In certain cases such scripts can even alter the content of an HTML
page.
❑ Cross-Site Scripting (XSS) is one of the most popular attacks which
uses the most popular vulnerabilities.
❑ It is considered one of the most risky attacks on internet applications.
❑ A Cross-Site Scripting attack is an injection of malicious code that will
be executed in the victim’s browser.
❑ Malicious code is usually written in client-side programming
languages ​such as Javascript, HTML, VBScript, Flash, etc.
@Manojkumar H. Radadiya
❑ However, Javascript and HTML are the most commonly used to carry
out this attack.
❑ The main purpose of this attack is to steal another user’s identity data
– cookies, session tokens, and other information.
❑ In most cases, this attack is used to steal the other person’s cookies.
❑ As we know, cookies help us log in automatically.
❑ Therefore, with the help of stolen cookies, we can log in using other
identities.
❑ This is one of the reasons why this attack is considered to be one of
the riskiest attacks.

@Manojkumar H. Radadiya
 Types of Cross Site Scripting

1. Reflected XSS ( Non-persistent XSS)

2. Stored XSS ( Persistent XSS)
3. DOM based XSS

@Manojkumar H. Radadiya
 1. Reflected XSS (Non-persistent XSS)
❑ Malicious script is injected onto trusted or otherwise harmless websites.
❑ Typically, injection occurs when an unsuspecting user clicks on a link
that is specifically designed to attack a visited website.
❑ Malicious results are returned when the malicious code is entered.
❑ The reflected XSS code is not saved permanently.
❑ In this case, the malicious code is reflected in any result of the website.
The attack code may be contained in bogus URL or HTTP parameters.
❑ In a reflected XSS attack, a web application with an XSS vulnerability
will allow potentially harmful data to enter a routine transaction.

@Manojkumar H. Radadiya
❑ For example, when a user sends a network request to the server by
submitting a form, the application responds with a page containing an
echo of what the user submitted for confirmation.
❑ A malicious JavaScript snippet can replace or attach to a user entry
that the user inadvertently executes.
❑ A reflected XSS attack can also trick a victim into launching an HTTP
request by clicking on a malicious link in the email or a fake website
that appears to be legitimate.
❑ This type of attack can target web-servers' error messages or search
results that return all or part of a user's input.

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
 2. Stored XSS ( Persistent XSS)
❑ It can be considered more risky and deals more damage.
❑ In this type of attack, the malicious code or script is saved on a web
server (e.g. in a database) and executed each time the user calls the
appropriate functionality.
❑ The XSS attacks stored in this way can affect many users.
❑ Also, since the script is stored on a web server, it will have an impact
on your site for a long time.
❑ In order to perform a saved XSS attack, the malicious script should be
sent via a vulnerable input form (for example, a comment field or a
review field).
@Manojkumar H. Radadiya
❑ In this way, the appropriate script will be saved in the database and
executed when the page is loaded or the appropriate function is
called.
❑ A common example of this type of attack is when an attacker posts a
specially crafted comment on a forum.
❑

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
 3. DOM based XSS
❑ DOM-based attacks are advanced ones made possible when the web
application's client-side script writes user-provided data to the DOM.
❑ The web application reads the data from the DOM and delivers it to the
browser.
❑ If the data isn't handled correctly, the attacker is able to inject a payload
that will be stored as part of the DOM.
❑ The payload is then executed when the data is read back from the
DOM.

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
 Prevention of XSS
❑ Preventing cross-site scripting is trivial in some cases but can be much
harder depending on the complexity of the application and the ways it
handles user-controllable data.
❑ In general, effectively preventing XSS vulnerabilities is likely to involve a
combination of the following measures:

@Manojkumar H. Radadiya
1. Filter input on arrival : At the point where user input is received, filter as strictly
as possible based on what is expected or valid input.
2. Encode data on output : At the point where user-controllable data is output in
HTTP responses, encode the output to prevent it from being interpreted as active
content. Depending on the output context, this might require applying
combinations of HTML, URL, JavaScript, and CSS encoding.
3. Use appropriate response headers : To prevent XSS in HTTP responses that
aren't intended to contain any HTML or JavaScript, you can use the Content-Type
and X-Content-Type-Options headers to ensure that browsers interpret the
responses in the way you intend.
4. Content Security Policy : As a last line of defense, you can use Content Security
Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
@Manojkumar H. Radadiya
❑For more detail visit:
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

@Manojkumar H. Radadiya
Block malicious request using WAF

@Manojkumar H. Radadiya
 Starting with
WAF (Web application firewall)
Web Application Firewall.pdf

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
 Block malicious request using WAF
❑ Web Application Firewall (WAF) keeps web services stable and secure. It
examines all HTTP and HTTPS requests to detect and block the following
attacks: SQL injection, cross-site scripting (XSS), web shells, command and
code injections, file inclusion, sensitive file access, third-party vulnerability
exploits, malicious crawlers, and cross-site request forgery (CSRF).
❑ You can add either domain names or IP addresses to WAF.
❑ WAF makes it easier for you to handle web security risks.

@Manojkumar H. Radadiya
Difference between a firewall, WAF and IPS
❑They are all systems that allow network traffic to pass through or be
blocked, but broadly speaking, the main difference is the different layers
each of them protects.
1. Firewall: Decides whether to permit or block the network traffic based
on IP addresses or port numbers.
2. WAF: Decides whether to permit or block the network traffic based on
the contents of communication on the application layer.
3. IPS: Monitors traffic that travel across the OS and network to prevent
unauthorized communications and changes.
@Manojkumar H. Radadiya
Here ae some efficient ways to minimize security misconfiguration

@Manojkumar H. Radadiya
 User enumeration

❑ User enumeration is when a malicious actor can use brute-force

techniques to either guess or confirm valid users in a system.
❑ User enumeration is often a web application vulnerability, though it
can also be found in any system that requires user authentication.
❑ Two of the most common areas where user enumeration occurs
are in a site's login page and its ‘Forgot Password' functionality.
❑ The malicious actor is looking for differences in the server's
response based on the validity of submitted credentials.
❑ The Login form is a common location for this type of behavior.
@Manojkumar H. Radadiya
❑When the user enters an invalid username and password, the server returns a
response saying that user ‘rapid7' does not exist.
❑A malicious actor would know that the problem is not with the password, but that
this username does not exist in the system, as shown in Figure 1:

@Manojkumar H. Radadiya
❑On the other hand, if the user enters a valid username with an invalid password,
and the server returns a different response that indicates that the password is
incorrect, the malicious actor can then infer that the username is valid, as shown
in Figure 2:

@Manojkumar H. Radadiya
❑At this point, the malicious actor knows how the server will respond to ‘known
good' and ‘known bad' input.
❑So, the malicious actor can then perform a brute-force attack with common
usernames, or may use census data of common last names and append each letter
of the alphabet to generate valid username lists.
❑Once a list of validated usernames is created, the malicious actor can then
perform another round of brute-force testing, but this time against the passwords
until access is finally gained.
❑An effective remediation would be to have the server respond with a generic
message that does not indicate which field is incorrect.

@Manojkumar H. Radadiya
❑When the response does not indicate whether the username or the password is
incorrect, the malicious actor cannot infer whether usernames are valid. Figure 3
shows an example of a generic error response:

@Manojkumar H. Radadiya
❑The application's Forgot Password page can also be vulnerable to this kind of
attack.
❑Normally, when a user forgets their password, they enter a username in the field
and the system sends an email with instructions to reset their password.
❑A vulnerable system will also reveal that the username does not exist, as shown in
Figure 4:

@Manojkumar H. Radadiya
❑Again, the response from the server should be generic and simply tell the user
that, if the username is valid, the system will send an instructional email to the
address on record.
❑Figure 5 shows an example of a message that a server could use in its response:

@Manojkumar H. Radadiya
❑Sometimes, user enumeration is not as simple as a server responding with text on the
screen.
❑It can also be based on how long it takes a server to respond. A server may take one
amount of time to respond for a valid username and a very different (usually longer)
amount of time for an invalid username.
❑For example, Outlook Web Access (OWA) often displays this type of behavior. Figure 6
shows this type of attack, using a Metasploit login module.

@Manojkumar H. Radadiya
❑In this example, the ‘FAILED LOGIN' for the user 'RAPID7LAB\admin' took more
than 30 seconds to respond and it resulted in a redirect.
❑However, the user 'RAPID7LAB\administrator' got the response ‘FAILED LOGIN,
BUT USERNAME IS VALID' in a fraction of a second.
❑When the response includes ‘BUT USERNAME IS VALID', this indicates that the
username does exist, but the password was incorrect.
❑Due to the explicit notification about the username, we know that the other
response, ‘FAILED LOGIN', is for a username that is not known to the system.

@Manojkumar H. Radadiya
❑How would you remediate this?
❑1. One way could be to have the application pad the responses with a random amount of
time, throwing off the noticeable difference.
❑This might require some additional coding into an application, or may not be possible on a
proprietary application.
2. Alternately, you could require two-factor authentication (2FA).
❑While the application may still be vulnerable to user enumeration, the malicious actor
would have more trouble reaching their end goal of getting valid sets of credentials.
❑Even if a malicious actor can generate user lists and correctly guess credentials, the SMS
token may become an unbeatable obstacle that forces the malicious actor to seek easier
targets.
@Manojkumar H. Radadiya
3. One other way to block user enumeration is with a web application firewall
(WAF).
❑To perform user enumeration, the malicious actor needs to submit lots of different
usernames.
❑A legitimate user should probably never not need to send hundreds or thousands
of usernames.
❑A good WAF will detect and block single IP address making many of these
requests.
❑Some WAFs will drop these requests entirely, others will issue a negative
response, regardless of whether the request is valid.
@Manojkumar H. Radadiya
 Protection against user enumeration
1. Login
❑Make sure to return a generic “No such username or password” message when
a login failure occurs.
❑Make sure the HTTP response, and the time taken to respond are no different
when a username does not exist, and an incorrect password is entered.

2. Password Reset
❑Make sure your “forgotten password” page does not reveal usernames.
❑If your password reset process involves sending an email, have the user enter
their email address. Then send an email with a password reset link if the account
exists. @Manojkumar H. Radadiya
3. Registration
❑Avoid having your site tell people that a supplied username is already taken.
❑If your usernames are email addresses, send a password reset email if a user
tries to sign-up with an existing address.
❑If usernames are not email addresses, protect your sign-up page with a
CAPTCHA.

4. Profile Pages
❑If your users have profile pages, make sure they are only visible to other users
who are already logged in.
❑If you hide a profile page, ensure a hidden profile is indistinguishable from a
non-existent profile.
@Manojkumar H. Radadiya
❑Visit the below URL for detailed with
example in GUI form:
https://www.hacksplaining.com/exercises/user
-enumeration

@Manojkumar H. Radadiya
2. Poor or weak encryption

@Manojkumar H. Radadiya
 Password
❑Creating strong passwords is essential for maintaining the security of your
online accounts and sensitive information. Here are some rules and
guidelines to follow when generating strong passwords:
❑Length: Use a minimum of 8 to 16 characters. Longer passwords are
generally more secure because they increase the complexity of the password.
❑Complexity: Incorporate a mix of characters, including uppercase and
lowercase letters, numbers, and special symbols (such as !, @, #, $, %, etc.).
❑Avoid Dictionary Words: Avoid using common words found in dictionaries,
as attackers often use dictionary-based attacks to crack passwords.

@Manojkumar H. Radadiya
 Password
❑Randomness: Generate passwords that appear random. Avoid using easily guessable
patterns, like "12345" or "qwerty."
❑No Personal Information: Do not use easily accessible personal information like
names, birthdates, or addresses, as these can be easily guessed or obtained.
❑Unpredictable Sequences: Avoid common keyboard patterns or sequences like
"asdf" or "zxcv."
❑Variety: Integrate a variety of character types (uppercase, lowercase, numbers,
symbols) in a non-predictable manner. For example, "P@ssw0rd!" is stronger than
"password123."

@Manojkumar H. Radadiya
 Password
❑Passphrases: Consider using a passphrase - a combination of random words or a
sentence – that is easy for you to remember but difficult for others to guess. For
instance, "PurplePizza$Jumping@42" is strong and memorable.
❑Unique Passwords: Use a unique password for each online account. Reusing
passwords across multiple sites increases the risk of a security breach.
❑Avoid Common Patterns: Avoid easily guessable patterns like "123abc," "abc123,"
"qwerty," or "password."
❑Avoid Common Substitutions: Avoid using common substitutions, such as replacing
"o" with "0" or "e" with "3," as these are well-known techniques used by attackers.
❑Two-Factor Authentication (2FA): Whenever possible, enable two-factor
authentication (2FA) for your accounts. This adds an extra layer of security even if
your password is compromised.
@Manojkumar H. Radadiya
 Password
❑Password Managers: Consider using a reputable password manager to
generate, store, and manage your passwords securely. Password managers can
create strong passwords and help you avoid reusing passwords.
❑Regular Updates: Change your passwords regularly, especially for critical
accounts. If a breach occurs, changing passwords helps mitigate the risk.
❑Security Questions: Be cautious with security questions. Avoid using answers
that are easily guessable or publicly available information.
❑Phishing Awareness: Be vigilant against phishing attempts. Attackers may try
to trick you into revealing your password through deceptive emails or websites.

@Manojkumar H. Radadiya
❑Remember, the goal is to create passwords that are complex, unique, and difficult
for attackers to guess or crack using various techniques.
❑Above guidelines can significantly enhance the security of your online accounts.

@Manojkumar H. Radadiya
 Password Cracking
❑Many users may have seen password cracking portrayed in movies as a quick
and impressive feat. But, it is far less flashy and potentially much more time-
consuming, according to this 2022 Hive report. Password cracking typically
involves brute-forcing a password using various methods.
❑To understand password cracking, you must first understand how passwords
are stored. There are two primary ways to store passwords: encryption and
hashing.
❑Encryption transforms plaintext into reversible ciphertext, which allows
password managers to store and display the original plaintext password.
@Manojkumar H. Radadiya
❑On the other hand, hashing is the typical method used for storing passwords for
online services.
❑Since service operators don't need to reverse passwords, only to verify they are
correct, passwords are hashed. Hash algorithms convert plaintext values into
ciphertext in a one-way process.
❑Before attempting to crack a password, an attacker must retrieve the ciphertext
value, often through man-in-the-middle attacks, hacked credential databases, or
phishing attempts.
❑Ultimately, the attacker can begin their work once the ciphertext value has been
obtained, typically as a hash value.
@Manojkumar H. Radadiya
Common Password Cracking
Techniques

@Manojkumar H. Radadiya
1. Brute Forcing:
❑Sometimes, the only way to find a password is to attempt every possible
combination of letters, numbers, and symbols. If the password is random, many
other techniques to make the job easier may not work.
❑This approach is the least efficient, but it may be the only option when all else
fails.
❑An attacker may use a computer or a cluster of computers to attempt every
possible variation. The longer the password, the more difficult and time-
consuming the cracking process becomes.
❑As an example of times, here are some recent findings from the 2023 Hive report
on how long, passwords with lowercase and uppercase letters verses more
complex passwords (i.e., numbers, @Manojkumar
upper and lowercase letters, and symbols in an
H. Radadiya
MD5 hash) take to crack.
@Manojkumar H. Radadiya
Characters Lower & Uppercase Letters Complex Passwords

8 Characters 22 minutes 8 hours

9 Characters 19 hours 3 weeks

10 Characters 1 month 5 years

11 Characters 5 years 500 years

12 Characters 300 years 34k years

@Manojkumar H. Radadiya
2. Rainbow Table:
❑Since hashing algorithms are publicly known, it is possible to create massive lists
of pre-computed password hashes that a stolen hash can be compared against.
❑Instead of generating a new hash for every variation, look up the stolen hash
against a table to see if it matches.
❑There are many different hash methods and near-infinite password variations,
which can quickly make managing and storing tables like this very difficult.
❑There is another technique known as password salting that can also throw a
wrench in this technique. If the server adds random values to the front and end of
a hash (values known only to the server), then the resulting hashes won’t match
known values anymore.
@Manojkumar H. Radadiya
3.Dictionary Attack:
❑To make brute-forcing a password easier, attackers can use dictionaries of
common words and phrases and company names, sports teams, etc. This narrows
down the list of potential password choices.
❑In the past, users were recommended to change their password often (e.g., every
90 days) and to use complex passwords.
❑But, this led to users choosing passwords like !yoda2023#, which makes the job of
a password cracker easier.
❑Once the base word, yoda, is guessed through a dictionary attack, trying a few
different symbols and numbers can quickly crack the password.
❑A more advanced form of a dictionary attack is the Markov chain attack. This
involves a statistical analysis of a@Manojkumar
list ofH.words
Radadiya stored in a table and used to
4.Credential Stuffing:
❑Users commonly use the same root password across multiple services.
❑If one password is broken on a service, an attacker can quickly try that same
password or variations on other services to which the user may have access.
❑Known as credential stuffing, attackers will try the cracked password on multiple
services to try different passwords on the same service.
❑This can result in all of the user's services being compromised.

@Manojkumar H. Radadiya
5. Social Engineering :
❑While the above password-cracking techniques use technical vulnerabilities, social
engineering takes advantage of human errors and psychology.
❑To put it simply social engineering is an act of manipulating the victim to gain
confidential information such as bank information or passwords.
❑ The reason why this method is quite prevalent among cybercriminals is that they
know humans are the doorway to access the important credential and
information.
❑And through social engineering, they use tried and tested methods to exploit and
manipulate ages-old human instincts, instead of finding new ways to break-in
secure and advanced technology.
@Manojkumar H. Radadiya
❑For example, it can be much easier to trick someone to share their password
rather than trying to crack it.
❑In fact, as per KnowBe4, a company providing security awareness training, 97% of
the cybercriminals targets through Social Engineering.

@Manojkumar H. Radadiya
6. Phishing:
❑Phishing is a type of social engineering used by cybercriminals to trick the users
and acquire their sensitive information which is then used for cybercrimes such as
financial breaches and data theft.
❑There are varied types of phishing email spoofing, URL spoofing, website
spoofing, smishing, vishing and more.
❑The most common ones are done through email, phone and SMS. In any of these
types, the attacker masquerades as someone from a legit organization and creates
a sense of curiosity, fear or urgency in the victims and tries to deceive them to
provide sensitive information such as identification information, financial and
banking details, passwords and more.
❑An example can be a Phishing email informing the victim about a blocked credit
@Manojkumar H. Radadiya
card and creating a sense of urgency prompting you to login in to unblock it.
❑Such email contains links to fake websites that resemble as legit but are used as a
fake.
❑Once you click on the link and enter the credentials they now have access to it.
❑So it’s essential to recognize and differentiate the illegitimate ones to save yourself
from a Phishing catastrophe.
❑Some of the signs that you can recognize phishing are: too good to be true type of
offers, generic email greeting, emails from unusual senders with hyperlinks and
attachments, sweepstake, lottery, unrealistic or free prizes.

@Manojkumar H. Radadiya
▪ Use the Gosafeonline password checker to find out how long it will take for cyber
security criminal to crack your password:

https://www.csa.gov.sg/Tips-Resource/Interactive-Tools/Password-Checker

@Manojkumar H. Radadiya
 Password Cracking Tools
❑ No password cracking starts without proper tools. When you have
to guess from billions of combinations, some computational
assistance is more than welcome. As always, each tool has its pros
and cons.
❑ Here is a list, in no particular order, of the most popular password
cracking tools.

@Manojkumar H. Radadiya
 1. John the Ripper
❑Featured in many popular password cracking tools lists, John the Ripper is
a free, open-source, command-based application. It’s available for Linux
and macOS while Windows and Android users get Hash Suite, developed
by a contributor.
❑John the Ripper supports a massive list of different cipher and hash types.
Some of those are:
▪ Unix, macOS, and Windows user ▪ Network traffic captures
passwords ▪ Encrypted private keys
▪ Web applications ▪ Disks and filesystems
▪ Database servers @Manojkumar H. Radadiya ▪ Archives
▪ Documents
❑There’s also a Pro version with extra features and native packages for
supported OS.
❑Word lists used in password cracking are on sale, but free options are
available as well.

@Manojkumar H. Radadiya
 2. Cain and Abel
❑Downloaded almost 2 million times from its official source, Cain & Abel is
another popular tool for password cracking.
❑But contrary to John the Ripper, it uses GUI, making it instantly more user-
friendly. That and the fact that it’s available on Windows only makes Cain
& Abel a go-to tool for amateurs, also known as script kiddies.
❑This is a multi-purpose tool, capable of many different functions. Cain &
Abel can act as a packet analyzer, record VoIP, analyze route protocols, or
scan for wireless networks and retrieve their MAC addresses. If you
already have the hash, this tool will offer a dictionary or brute force attack
option. Cain & Abel can also display passwords that are hiding beneath
@Manojkumar H. Radadiya
the asterisks.
@Manojkumar H. Radadiya
 3. Ophcrack
❑Ophcrack is a free and open-source password cracking tool that
specializes in rainbow table attacks.
❑To be more precise, it cracks LM and NTLM hashes where the former
addresses Windows XP and earlier OSs and the latter associates with
Windows Vista and 7.
❑NTLM is also available, to a certain degree, on Linux and freeBSD.
❑Both of these hash types are insecure – it’s possible to crack a NTLM hash
in less than 3 hours with a fast computer.

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
❑ As you can see in the screenshot above, it took Ophcrack merely six
seconds to crack an 8-symbol password while using a rainbow table that
includes letters, numbers, and uppercases.

❑ That’s even more variables than a mainstream password usually has.

❑ This tool comes with free Windows XP/Vista/7 rainbow tables and a
brute force attack feature for simple passwords. Ophcrack is available
on Windows, macOS, and Linux.

@Manojkumar H. Radadiya
 4. THC Hydra
❑ Arguably the strongest point of THC Hydra is not the possible number of
heads it can grow but the sheer number of protocols it supports that seems
to be growing too!
❑This is an open-source network login password cracking tool that works with
Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH,
and Telnet, to name but a few.
❑The methods available with THC Hydra include brute force and dictionary
attacks while also using wordlists generated by other tools.
❑This password cracker is known for its speed thanks to the multi-threaded
combination testing. It can even run checks on different protocols
@Manojkumar H. Radadiya
simultaneously. THC Hydra is available on Windows, macOS, and Linux.
@Manojkumar H. Radadiya
 5. Hashcat
❑ Positioning itself as the world’s fastest password cracker, Hashcat is a
free open-source tool that’s available on Windows, macOS, and Linux. It
offers a number of techniques, from simple brute force attack to hybrid
mask with wordlist.
❑ Hashcat can utilize both your CPU and GPU, even at the same time.
This makes cracking multiple hashes simultaneously much faster.
❑ But what makes this tool truly universal is the number of supported hash
types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2,
Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it
supports over 300 hash types.
@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
 Remember me functionality
❑ The "Remember Me" feature allows users to store their login
information on their local computer, allowing them to skip the login
process when coming back again to the Website.
❑ When a user chooses to be remembered, the authentication information
will be stored in an encrypted format for the specified time period as a
Web browser cookie.
❑ During subsequent Website visits the login credentials will be retrieved,
decrypted and automatically used to initiate a new login session.
❑ Further identification is required only when the cookie becomes invalid,
for example when the encryption mechanism is modified, the user
explicitly signs out, or when @Manojkumar
the login cookie expires.
H. Radadiya
❑Applications often implement “remember me” functions as a convenience to
users, to prevent them needing to reenter their username and password each
time they use the application from a specific computer.
❑These functions are often insecure by design and leave the user exposed to
attack both locally and by users on other computers:

@Manojkumar H. Radadiya
1. Some “remember me” functions are implemented using a simple persistent
cookie, such as RememberUser=manoj.
• When this cookie is submitted to the initial application page, the application trusts
the cookie to authenticate the user, and creates an application session for that
person, bypassing the login.
• An attacker can use a list of common or enumerated usernames to gain full access
to the application without any authentication.

@Manojkumar H. Radadiya
2. Some “remember me” functions set a cookie which does not contain the
username but rather a kind of persistent session identifier — for example,
RememberUser=1328 .
• When the identifier is submitted to the login page, the application looks up the
user associated with it and creates an application session for that user.
• As with ordinary session tokens, if the session identifiers of other users can be
predicted or extrapolated, an attacker can iterate through a large number of
potential identifiers to find those associated with application users, and so gain
access to their accounts without login.

@Manojkumar H. Radadiya
• this cookie is submitted to the initial application page, the application trusts the
cookie to authenticate the user, and creates an application session for that person,
bypassing the login.

@Manojkumar H. Radadiya
 Caution!!!
1.Cookies are domain specific, therefore visiting the same Website via
different domains or IP addresses would require filling out the Login form
again and storing authentication information in separate cookies.

2. The "Remember me" functionality won't work if the user's Web browser
security settings are configured to reject cookies.

@Manojkumar H. Radadiya
 Caution!!!
3. Any functionality where a user's personal information is stored locally on
his or her computer cannot be guaranteed to be fully secure.
❑ For example in cases where a potential attacker may gain access to a
user's computer and retrieve local cookies.
❑ Developers are advised to exert caution when implementing the
"Remember me" functionality for applications that deal with financial or
other sensitive data.

@Manojkumar H. Radadiya
 No limit attempts
❑ It referring to a concept in web security where there are no limits on the
number of attempts an attacker can make to compromise a system or
gain unauthorized access.
❑ This could apply to various types of attacks like brute-force attacks,
where an attacker tries a large number of possible passwords or inputs
in an attempt to guess the correct one.
❑ In the context of web security, "no limit attempts" could indicate a
vulnerability if there's no mechanism in place to prevent or mitigate such
attacks.

@Manojkumar H. Radadiya
❑ To protect against these types of threats, web applications often implement
measures like:

1. Account Lockouts: After a certain number of unsuccessful login attempts, an

account is temporarily locked or even permanently locked to prevent further
attempts.

2. Rate Limiting: This involves restricting the number of requests a user or IP

address can make within a specific timeframe. This can help prevent automated
attacks that rely on making a large number of requests in a short time.
@Manojkumar H. Radadiya
3. CAPTCHA: A CAPTCHA is a challenge-response test used to determine if the user is
human. It's often used to prevent automated bots from carrying out certain actions,
such as submitting forms.

4. Two-Factor Authentication (2FA): Implementing 2FA adds an extra layer of

security by requiring users to provide a second piece of information (like a
temporary code from their phone) in addition to their password.

5. Account Recovery Mechanisms: Ensuring that password reset or account

recovery processes are secure is important to prevent attackers from exploiting
these processes to gain unauthorized access.
@Manojkumar H. Radadiya
6. Monitoring and Logging: Regularly monitoring and analyzing logs can help
identify suspicious activities and patterns, allowing you to take action before any
major security breach occurs.

7. Strong Password Policies: Enforcing strong password policies, including minimum

length, complexity requirements, and periodic password changes, can make it more
difficult for attackers to guess passwords.

8. Web Application Firewalls (WAFs): WAFs can filter and monitor incoming traffic
to a web application, blocking malicious requests and providing an additional layer
of defense.
@Manojkumar H. Radadiya
❑ Remember that security is an ongoing process, and it's important to stay updated
with the latest security practices and vulnerabilities to ensure the safety of your
web applications.

@Manojkumar H. Radadiya
 Password reset feature

❑Passwords are the first line of defense when it comes to digital security. For most
businesses, each employee is going to have at least one username and password
that they need to remember.
❑In many cases, there will be many.
❑This is, of course, is in addition to all of their personal accounts and passwords
which are sometimes used on the same device as their work accounts.
❑With this in mind, it should come as no surprise that somewhere between 20%
and 50% of calls to the helpdesk are related to accounts being locked, or password
resets.
@Manojkumar H. Radadiya
❑Depending on the size of your organization, this can mean spending a massive
amount of your IT budget on simple account management.
❑ Finding an effective password reset solution is a great way to minimizing the time
spent on resetting passwords, and getting employees back to work.
❑Here are the top 5 things you should be on the look out for when you’re using a
password reset tool:

@Manojkumar H. Radadiya
 1. Verification of the user during a password reset
❑A password reset solution cannot simply unlock an account or change a
password automatically or it would defeat the purpose of having account
security in the first place.
❑Instead, the system must first verify that the person requesting the
unlock or reset is who they claim to be, and then ensure that their
account is supposed to be active.
❑Tip: Avoid security questions during user verification as they are prone
to social engineering. Instead, look for a password reset solution that can
verify users via multi-factor authentication with stronger identity
providers.
@Manojkumar H. Radadiya
 2. Password reset for remote users
❑Managing remote workers has always presented unique challenges.
❑With more employees working remotely than ever before, it is critical
that your password reset system is able to update passwords, even when
a Domain Controller cannot be reached.
❑Tip: Prevent account lockouts with a password reset solution that can
update the local cached credentials, even when a Domain Controller
cannot be reached.

@Manojkumar H. Radadiya
 3. 24/7 Password Reset Options
❑Many employees today are not working traditional schedules.
❑Instead, they may require access at any time.
❑When account management is handled by the helpdesk, this means you
either need to have them staffed 24/7, or some people will be unable to
work until the following business day.
❑A self-service password reset system solves this concern. Whether
someone is locked out at 8AM, or 11PM, they can get regain access to
their account quickly.
❑Tip: Use a self-service solution that can be used anywhere, and from any
device.
@Manojkumar H. Radadiya
 4. Enforcing user enrolment
❑Many employees today are not working traditional schedules.
❑Instead, they may require access at any time.
❑When account management is handled by the helpdesk, this means you
either need to have them staffed 24/7, or some people will be unable to
work until the following business day.
❑A self-service password reset system solves this concern. Whether
someone is locked out at 8AM, or 11PM, they can get regain access to
their account quickly.
❑Tip: Use a self-service solution that can be used anywhere, and from any
device.
@Manojkumar H. Radadiya
 5. Advanced Auditing and Reporting
❑Track the usage of your password resets, and use your findings to
identify specific users who are frequently locked out of their account so
they can be provided with the appropriate training.
❑Tip: Look for a password reset solution with advanced reporting features
to keep track of system usage, and ROI.

@Manojkumar H. Radadiya
 Logout flaws
❑ Logout functionality is an essential component of web security, as it
allows users to terminate their authenticated sessions and prevent
unauthorized access to their accounts.
❑ However, there can be security flaws related to logout functionality that
attackers might try to exploit.
❑ Here are some common logout flaws to be aware of and how to mitigate
them:

@Manojkumar H. Radadiya
1.IDOR examples
Inadequate Session Termination:

❑Flaw: Failing to properly terminate the user's session upon logout can
lead to session fixation attacks, where an attacker can hijack a user's
session.

❑Mitigation: Ensure that the session identifier is invalidated on the server-

side when the user logs out. Additionally, implement measures to prevent
session fixation, such as generating new session identifiers upon
authentication and logout.

@Manojkumar H. Radadiya
 IDOR examples
2. Cached Sessions:

❑Flaw: If a web page is cached by the browser or a proxy after logout, an attacker
or subsequent user might be able to access the cached page and gain
unauthorized access.

❑Mitigation: Implement proper cache control headers to prevent caching of

sensitive pages. Use cache-control directives like "no-cache" and "no-store" to
ensure that sensitive data isn't stored in the cache.

@Manojkumar H. Radadiya
 IDOR examples
3.Cross-Site Request Forgery (CSRF) Attacks:

❑Flaw: Attackers can trick users into performing unintended actions, including
logging out, by exploiting CSRF vulnerabilities.

❑Mitigation: Use CSRF tokens to validate the origin of requests, ensuring that only
legitimate requests from the same site are accepted.

@Manojkumar H. Radadiya
 IDOR examples
4. Session Timeout Issues:

❑Flaw: If the session timeout is too long or not enforced properly, users might not
be logged out automatically after a certain period of inactivity, leaving their
accounts vulnerable.

❑Mitigation: Set a reasonable session timeout and ensure that sessions are
properly invalidated after the specified period of inactivity.

@Manojkumar H. Radadiya
 IDOR examples
5. Back Button and Browser History:

❑Flaw: After logging out, if the user clicks the back button or uses the browser
history, they might be able to access sensitive information or perform actions they
shouldn't.

❑Mitigation: Implement mechanisms to prevent users from accessing secure pages

by using the browser's back button or history after logging out. This might involve
additional checks on page load or page navigation.

@Manojkumar H. Radadiya
 IDOR examples
6. Timing Attacks:

❑Flaw: If the logout process doesn't provide consistent timing regardless of

whether the action was successful or not, attackers might exploit timing
differences to gain insights into the application's behavior.

❑Mitigation: Ensure that the time it takes to respond to logout requests is

consistent, regardless of the outcome of the request.

@Manojkumar H. Radadiya
 IDOR examples
7.Clickjacking Attacks:

❑Flaw: Attackers can trick users into clicking on hidden or invisible elements that
perform logout actions without the user's knowledge.

❑Mitigation: Implement clickjacking protection mechanisms, such as X-Frame-

Options headers or Content Security Policy (CSP) directives, to prevent your site
from being embedded in a malicious frame.

@Manojkumar H. Radadiya
 IDOR examples
❑ It's important to thoroughly test the logout functionality, along with the entire
authentication and session management process, to identify and mitigate these
potential flaws.
❑Regular security assessments and updates to your application's security measures
are crucial to maintaining a secure logout process.

@Manojkumar H. Radadiya
 CAPTCHA
❑ CAPTCHA (Completely Automated Public Turing test to tell Computers
and Humans Apart)
❑ A CAPTCHA is a type of challenge-response system designed to
differentiate humans from robotic computer programs.
❑ CAPTCHAs are used as security checks to deter spammers and hackers
from using forms on web pages to insert malicious code.
❑ CAPTCHAs are tools you can use to differentiate between real users and
automated users, such as bots. CAPTCHAs provide challenges that are
difficult for computers to perform but relatively easy for humans. For
example, identifying stretched letters or numbers, or clicking in a specific
area. @Manojkumar H. Radadiya
 What are CAPTCHAs Used For?
❑CAPTCHAs are used by any website that wishes to restrict usage by bots. Specific
uses include:
❑Maintaining poll accuracy: CAPTCHAs can prevent poll skewing by ensuring
that each vote is entered by a human. Although this does not limit the overall
number of votes that can be made, it makes the time required for each vote
longer, discouraging multiple votes.

❑Account Registration: Scammers may use automated bots to register fake

accounts with online services. CAPTCHAs on account creation pages make this
more difficult.
@Manojkumar H. Radadiya
❑Ticket Scalping: For large events where tickets sell out quickly, scalpers may
use automated bots to quickly buy up tickets for resale. CAPTCHAs help to
ensure that all tickets are purchased by humans.

❑Preventing false comments: CAPTCHAs can prevent bots from spamming

message boards, contact forms, or review sites. The extra step required by a
CAPTCHA can also play a role in reducing online harassment through
inconvenience.

@Manojkumar H. Radadiya
 How Does CAPTCHA Work?
❑CAPTCHAs work by providing information to a user for interpretation.
❑ Traditional CAPTCHAs provided distorted or overlapping letters and numbers that
a user then has to submit via a form field.
❑The distortion of the letters made it difficult for bots to interpret the text and
prevented access until the characters were verified.
❑This CAPTCHA type relies on a human’s ability to generalize and recognize novel
patterns based on variable past experience.
❑In contrast, bots can often only follow set patterns or input randomized
characters.
@Manojkumar H. Radadiya
 How Does CAPTCHA Work?
❑ This limitation makes it unlikely that bots will correctly guess the right
combination.
❑Since CAPTCHA was introduced, bots that use machine learning have been
developed.
❑These bots are better able to identify traditional CAPTCHAs with algorithms
trained in pattern recognition.
❑Due to this development, newer CAPTCHA methods are based on more complex
tests.
❑For example, reCAPTCHA requires clicking in a specific area and waiting until a
timer runs out.
@Manojkumar H. Radadiya
 Advantage of Using CAPTCHA
❑ They prevent spam from automated programs that could send emails,
comments or advertisements.
❑ They prevent fake registrations or sign-ups for websites.
❑ CAPTCHAs are familiar, so website visitors automatically understand
what they are tasked to do.
❑ CAPTCHAs are also easy to implement in building a website.

@Manojkumar H. Radadiya
 Drawbacks of Using CAPTCHA
❑ The overwhelming benefit of CAPTCHA is that it is highly effective
against all but the most sophisticated bad bots.
❑ However, CAPTCHA mechanisms can negatively affect the user
experience on your website:
❑ Disruptive and frustrating for users
❑ May be difficult to understand or use for some audiences
❑ Some CAPTCHA types do not support all browsers
❑ Some CAPTCHA types are not accessible to users who view a website
using screen readers or assistive devices
❑ Websites using CAPTCHAs may notice traffic decreases because users
find the tasks difficult. @Manojkumar H. Radadiya
 CAPTCHA Types: Examples
❑ Modern CAPTCHAs fall into three main categories
1. Text based
2. Image based and
3. Audio based

@Manojkumar H. Radadiya
 1. Text based
❑ Text-based CAPTCHAs are the original way in which humans were
verified.
❑ These CAPTCHAs can use known words or phrases, or random
combinations of digits and letters.
❑ Some text-based CAPTCHAs also include variations in capitalization.
❑ The CAPTCHA presents these characters in a way that is alienated and
requires interpretation.
❑ Alienation can involve scaling, rotation, distorting characters. It can also
involve overlapping characters with graphic elements such as color,
background noise, lines, arcs, or dots.
❑ This alienation provides @Manojkumar
protection against bots with insufficient text
H. Radadiya
@Manojkumar H. Radadiya
 Techniques for creating text-based CAPTCHAs include:

1. Gimpy: chooses an arbitrary number of words from an 850-word dictionary and

provides those words in a distorted fashion.
2. EZ-Gimpy: is a variation of Gimpy that uses only one word.
3. Gimpy-r: selects random letters, then distorts and adds background noise to
characters.
4. Simard’s HIP: selects random letters and numbers, then distorts characters with arcs
and colors.

@Manojkumar H. Radadiya
 2. Image based
❑ Image-based CAPTCHAs were developed to replace text-based ones.
These CAPTCHAs use recognizable graphical elements, such as
photos of animals, shapes, or scenes.
❑ Typically, image-based CAPTCHAs require users to select images
matching a theme or to identify images that don’t fit.
❑ You can see an example of this type of CAPTCHA below.
❑ Note that it defines the theme using an image instead of text.

@Manojkumar H. Radadiya
@Manojkumar H. Radadiya
❑Image-based CAPTCHAs are typically easier for humans to interpret than
text-based.
❑However, these tools present distinct accessibility issues for visually
impaired users.
❑For bots, image-based CAPTCHAs are more difficult than text to interpret
because these tools require both image recognition and semantic
classification.

@Manojkumar H. Radadiya
 3. Audio based
❑ Audio CAPTCHAs were developed as an alternative that grants
accessibility to visually impaired users.
❑ These CAPTCHAs are often used in combination with text or image-
based CAPTCHAs.
❑ Audio CAPTCHAs present an audio recording of a series of letters or
numbers which a user then enters.
❑ These CAPTCHAs rely on bots not being able to distinguish relevant
characters from background noise.
❑ Like text-based CAPTCHAs, these tools can be difficult for humans to
interpret as well as for bots.
@Manojkumar H. Radadiya
 4. Math or Word Problems
❑ Some CAPTCHA mechanisms ask users to solve a simple mathematical
problem such as “3+4” or “18-3”.
❑ The assumption is that a bot will find it difficult to identify the question
and devise a response.
❑ Another variant is a word problem, asking the user to type the missing
word in a sentence, or complete a sequence of several related terms.
❑ These types of problems are accessible to vision impaired users, but at
the same time they may be easier for bad bots to solve.

@Manojkumar H. Radadiya
 5. Social Media Sign In
❑ A popular alternative to CAPTCHA is requiring users to sign in using a
social profile such as Facebook, Google or LinkedIn.
❑ The user’s details will be automatically filled in using single sign on
(SSO) functionality provided by the social media website.
❑ This is still disruptive, but may actually be easier for the user to
complete than other forms of CAPTCHA.
❑ An additional benefit is that it is a convenient registration mechanism.

@Manojkumar H. Radadiya
 6. No CAPTCHA ReCAPTCHA
❑ This type of CAPTCHA, known for its use by Google, is much easier for
users than most other types.
❑ It provides a checkbox saying “I am not a robot” which users need to
select – and that’s all.
❑ It works by tracking user movements and identifying if the click and other
user activity on the page resembles human activity or a bot.
❑ If the test fails, reCAPTCHA provides a traditional image selection
CAPTCHA, but in most cases the checkbox test suffices to validate the
user.

@Manojkumar H. Radadiya
www.paruluniversity.ac.in
@Manojkumar H. Radadiya