People's Newsroom

BUILD A SECURE LOGIN

How Authentication works

  • Pre-login
  • login Page
  • login Redirect
  • logged In
  • log Out

Attacks and defenses may be on each step, if not properly configured.

PRE-LOGIN

  • Users get to the site in many ways: Search engines, Bookmarks, Links from emails, Direct URL entries, iframes from other sites.
  • Request/Response model.
  • Users shouldn’t be able to complete most actions before logging in, but they may be able to begin actions such as adding items to a cart or setting up a session.
  • Account Creation
  • Password Reset

LOGIN PAGE

Users can get to the login page by

  • Clicking on the login link on the site or from an email or another site.
  • Attempting to go to a logged-in page without being logged in.
  • Make a request to a logged-in page after the session has expired.
  • The login page needs to know where to send the user after successful login.
  • Input can include a username, password, pre-login cookie, anti-CSRF token, CAPTCHA, and even a second factor such as an RSA token.

LOGIN REDIRECT

  • Upon successful verification of the user’s credentials, a redirection response that contains a Set-Cookie header is returned.
  • Usually an HTTP 302 Found response with a Location header.
  • Sometimes a webpage is returned which includes a javascript or meta tag redirect.
  • This new cookie is the logged-in session cookie.

LOGGED IN

  • Now that the user is logged in, they can take sensitive actions and look at sensitive data.
  • The user stays logged in because the browser adds the Cookie header to every request (with the appropriate domain, path, flags, etc.).
  • Often users have to fill out long forms that take longer than the inactivity logout period.
  • Users may have multiple tabs open which make it difficult to impose an order on their actions.

LOG OUT

How do users log out

  • They click on the logout link.
  • Their session expires due to inactivity or absolute timeout.
  • They complete an action.
  • They navigate to a non-logged-in section of the site.
  • If the user’s session didn’t expire, they get a response that contains a SetCookie header that expires the logged-in cookie and then redirects the user.
  • Otherwise, they get redirected to the login page.

ATTACK GOALS

  • Bypass login
  • login as another user
  • Force logged in users to take actions
  • Get logged in to users’ information
  • Affect pre-login actions that affect logged-in actions
  • Get users to log in to a known session or account
  • Get valid usernames
  • Get valid user passwords
  • Get valid user email addresses
  • Lockout users

PRE-LOGIN

  • SQL Injection – same database
  • XSS as a Social Engineering vector
  • Cookie attacks: XSS, lack of SSL, Header Injection, token prediction
  • Session via URL token (no cookies)
  • CSRF and Clickjacking
  • User Enumeration
  • Password Reset
  • Account Creation
  • login Form
  • Inadequate SSL Coverage
  • Combination XSS with CSRF to the logged-in section to get sensitive data.

LOGIN PAGE

  • SQL Injection to bypass verification
  • XSS as a key logger
  • User Enumeration
  • Password Bruteforcing
  • SQL Injection for password gathering
  • login CSRF
  • Contests
  • Stored data
  • I was framed!
  • Inadequate SSL
  • Account Lockout

LOGIN REDIRECT

  • Header Injection: Location header
  • Session Fixation
  • Predictable session token
  • Forced redirection
  • Off-site (Referer header)
  • CSRF
  • SSL
  • Javascript or meta tag redirect XSS

LOGGED IN

  • XSS framework for full control (BeEF)
  • XSS for session token capture
  • SQL Injection via CSRF
  • CSRF and Clickjacking
  • Inadequate SSL coverage
  • Authentication bypass
  • Disclosure of URL parameters (Referer)
  • AJAX hijacking
  • Force logout

LOG OUT

  • Forced redirection
  • Header injection: Location
  • Session reuse / Inadequate logout
  • Pre-login
  • CSRF logout

PASSWORD SAFES AND FIREWALL ADMINISTRATIONS

Password Safes and Firewalls are your privileged access management solutions to ensure your resources are protected from insider threats. They combine privileged passwords and session management to discover, manage, and audit all privileged credential activity. Password Safes creates and secures privileged accounts through automated password management, encryption, secure storage of credentials, and a sealed operating system. Password Safes are supported on a hardened U-Series Appliance that creates and secures privileged accounts through automated password management, encryption, secure storage of credentials, and a sealed operating system.

More specifically, you can use Password Safes to accomplish this.

  • Scan, identify, and profile all assets for automated Password Safe management, ensuring no credentials are left unmanaged.
  • Control privileged user accounts, applications, SSH keys, cloud admin accounts, RPA accounts, and more.
  • Use adaptive access control for automated evaluation of just-in-time context for authorization access requests.
  • Monitor and record live sessions in real-time and pause or terminate suspicious sessions.
  • Enable a searchable audit trail for compliance and forensics, and achieve complete control and accountability over privileged accounts.
  • Restrict access to critical systems, including assets and applications, keeping them safe from potential inside threat risks.

The following authentication types can be used.

  • Password Safe Authentication
  • Active Directory: As members.
  • LDAP: Add LDAP users as members.
  • Smart Card: Configure Password Safe to allow authentication using a Smart Card PIN.
  • RADIUS: Configure multi-factor authentication with a RADIUS server.
  • Third-Party Authentication: Configure Password Safe to use authentication for web tools that support SAML 2.0 standards such as PingID, Okta, and ADFS.

Available

Assets: Display and manage all assets. Access the Smart Rules page to create and manage Smart Groups. Add assets to Password Safe management.

Smart Rules: View and manage Smart Rules.

Scan: Schedule Discovery Scans.

Scans: Review active, completed, and scheduled scans.

Endpoint Privilege Management: View and manage Endpoint Privilege Management events, policies, policy users, agents, file integrity monitoring, and session monitoring.

Managed Systems: View and configure properties for Password Safe managed systems, managed databases, managed directories, managed applications, and their associated Smart Rules.  

Managed Accounts: View and configure properties for Password Safe managed accounts and their associated Smart Rules.

Password Safe: Access the Password Safe web portal to request passwords and remote access sessions and to approve requests.

Team Passwords: View and manage team credentials.

Analytics & Reporting: Access reports on collected data.

Configuration: Configure BeyondInsight and Password Safe components and objects, such as users and groups, authentication settings, connectors, and much more.

Back to top button