Showing posts with label Cyber Security. Show all posts
Showing posts with label Cyber Security. Show all posts

Monday, May 15, 2023

Application Security Risk - Broken Access Control

0 comments
Broken Access Control refers to vulnerabilities that allow unauthorized actors to gain access to sensitive information or perform actions they are not supposed to. This can be categorized into several common weaknesses:CWE-200: Exposure of Sensitive Information to an Unauthorized Actor




CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-352: Cross-Site Request Forgery

  • Common causes of Broken Access Control include:Violation of the principle of least privilege or deny by default. This means that access should only be granted to specific capabilities, roles, or users, but it is instead available to anyone.
  • Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, HTML pages, or by using attack tools to modify API requests.
  • Allowing the viewing or editing of someone else's account by providing its unique identifier (insecure direct object references).
  • Accessing APIs without proper access controls for POST, PUT, and DELETE operations.
  • Elevation of privilege, such as acting as a user without being logged in or acting as an admin when logged in as a regular user.
  • Manipulation of metadata, like replaying or tampering with access control tokens such as JSON Web Tokens (JWTs), cookies, or hidden fields to elevate privileges or abuse JWT invalidation.
  • Misconfiguration of Cross-Origin Resource Sharing (CORS), which allows unauthorized or untrusted origins to access APIs.
  • Force browsing to authenticated pages as an unauthenticated user or accessing privileged pages as a standard user.

Here are two scenarios that illustrate Broken Access Control vulnerabilities:

Scenario #1: The application uses unverified data in a SQL call that accesses account information:
java
pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery();


An attacker can simply modify the browser's 'acct' parameter to send any account number they want. If this input is not properly verified, the attacker can access any user's account by manipulating the URL:
arduino
https://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker can force browse to target URLs that should be restricted to certain user roles. For example, access to the admin page requires admin rights:
ruby
https://example.com/app/getappInfo https://example.com/app/admin_getappInfo


If an unauthenticated user can access either of these pages, it indicates a flaw. Similarly, if a non-admin user can access the admin page, it is also a security vulnerability.

Prevention Measures:

  • To prevent Broken Access Control vulnerabilities, follow these best practices:Implement access control mechanisms in trusted server-side code or serverless APIs, where attackers cannot modify the access control check or metadata.
  • Except for public resources, adopt a deny-by-default approach, meaning that access is only granted to specific resources and actions.
  • Implement access control mechanisms once and reuse them consistently throughout the application. Minimize the usage of Cross-Origin Resource Sharing (CORS).
  • Ensure that access controls enforce record ownership, rather than assuming that users can create, read, update, or delete any record.
  • Enforce unique application business limit requirements using domain models.
  • Disable web server directory listing and remove sensitive file metadata (e.g., .git) and backup files from web roots.
  • Log access control failures and alert administrators when appropriate, such as in cases of repeated failures.
  • Implement rate limiting on API and controller access to mitigate harm from automated attack tools.
  • Invalidate stateful session identifiers on the server after logout. If using stateless JWT tokens, ensure they have a short lifespan to minimize the attacker's window of opportunity. For longer-lived JWTs, it is highly recommended to follow the OAuth standards for token revocation and management.

  • By following these preventive measures, you can enhance the security of your application and mitigate the risk of Broken Access Control vulnerabilities. Regular security assessments and testing should also be conducted to identify and address any potential weaknesses in access control mechanisms.

  • It is crucial to prioritize security during the development process and ensure that access controls are implemented correctly and consistently. This includes ongoing monitoring and updates as new vulnerabilities and attack techniques emerge.

  • Remember, access control is a critical aspect of protecting sensitive information and preventing unauthorized access. By implementing robust access control measures, you can significantly reduce the risk of data breaches and unauthorized activities within your application.

Read more...

Friday, February 24, 2023

Argon2 - a popular algorithm for password hashing

0 comments
The best algorithm for password hashing depends on several factors, including the specific use case, the desired level of security, and the available hardware resources. However, there are some widely accepted best practices in the security community.



One popular algorithm for password hashing is Argon2, which won the Password Hashing Competition in 2015. Argon2 is designed to be memory-hard, which means that it requires a lot of memory to compute, making it more difficult for attackers to use specialized hardware to crack passwords. It also supports both salt and multiple iterations, which further increase security.

Here is an example of how to use Argon2 in Python:

python
import argon2 # Generate a salt salt = argon2.low_level.generate_salt() # Hash a password password = "password123" hash = argon2.hash_password(password, salt) # Verify a password if argon2.verify_password(hash, password): print("Password is correct!") else: print("Password is incorrect.")


This code uses the argon2 library to generate a random salt and hash a password using Argon2. The hash_password() function takes the password and salt as inputs and returns a string representing the hashed password. The verify_password() function takes the hash and a plaintext password as inputs and returns True if the password is correct, or False if it's incorrect.

It's important to note that hashing passwords is just one part of a comprehensive password security strategy. It's also important to use strong, unique passwords, to educate users on password best practices, and to use other security measures such as multi-factor authentication.

Read more...

Latest Posts

Label tag

Page copy protected against web site content infringement by Copyscape
 
About Me
Info Tech provies IT tips, Applications, Blogger, Blog, Adsense ... Use Firefox to open this site!