Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1...
Transcript of Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1...
![Page 1: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Single Packet Authorization on the WEB -- WEB-SPA
Dr. Markus Maria MiedanerSyracom Consulting AG
Dr. Yiannis PavlosoglouUSB AG
[email protected]@owasp.org
15.11.2012
![Page 2: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/2.jpg)
2OWASP
Motivation for WEB-SPA
Ubiquity of web servers
Active defense against 0-Days
Easy to access
Urge to experiment
Include the mobile world
Consider deferred timeouts
No latency issues
Break the network layer boundary
![Page 3: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/3.jpg)
3
Previous Work
![Page 4: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/4.jpg)
4OWASP
Port KnockingEstablished pre 2000 to open ports in firewallsSusceptible to replay attacksLimited to the network level
![Page 5: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/5.jpg)
5OWASP
Port Knocking takes its time
Port field in TCP Headers: 16 bitSimple cipher text: 128 bit8 Packets required4 Seconds required
Example (64 bit hash)CRC32(„pwd“) = 32FB1181 © thegivingdemocracy.com
0011100000110001 – 0011000100110001 - 0100011001000010 - 0011001100110010
Portnumber : 14385 12593 17986 13106
to binary and chunked into pieces of 16 bits
![Page 6: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/6.jpg)
6OWASP
Single Packet Authentication
New protocol – first established in 2005Extends Port KnockingMitigates some vulnerabilitiesCombines authentication and authorization
hash(username+passwd+date)
![Page 7: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/7.jpg)
7OWASP
Port Knocking, SPA and Security
Defence in depthAn additional layer?Detectability?
Exploitability of the serverDirect packet
inspectionLog file analysis
Exploitability of the client
Client identification
Timeouts
![Page 8: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/8.jpg)
8OWASP
Problems with Port Knocking and SPA
Logfile pollution
Flow vs. IP-based authentication
IDS/IPS detection
Anonymity → TOR
Password rotation
Slow
© wuala.com
![Page 9: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/9.jpg)
9OWASP
Attacks against Port Knocking andSingle Packet Authorization
Client
Attacker 1
Attacker 2 Attacker 3
Server
![Page 10: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/10.jpg)
10OWASP
Attacks
Latency
Denial of Service
Replay
Man in the middle
Brute force
© dogpictures.co
Weak cryptography
![Page 11: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/11.jpg)
11OWASP
The WEB
Various authentication / authorisation schemes
Various 2 factor authentication methods
Strict separation of layers NetworkTransportApplicationStorage
Ripped of from: iStockphoto/ktsimage
![Page 12: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/12.jpg)
12OWASP
WEB-SPA – The principle – STEP 1
Stolen from pluzzi.com
1.
1.
OR
One packet to a complex url
![Page 13: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/13.jpg)
13OWASP
WEB-SPA – The principle - STEP2
Stolen from pluzzi.com
2.2.
Use the service you activated
![Page 14: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/14.jpg)
14OWASP
WEB-SPA 0.4 – How does it work?
![Page 15: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/15.jpg)
15OWASP
Example URL: http://localhost/%CF%87/OKSNmjNF-...
Host Knock DateHash
http://localhost/%CF%87/ OKSNmjNF-4kcY5HeUCuXhyGmEPw/
Version UserHash ActionHash
0.4/RHfD0fT5xQwR2yqJSzVe2XoFWVw/VGnb45xSWAqkYEQ1NyRvvfEWUZg/
Tm90IG5vdw/7172134f-6eec-4026-8b9e-f0ee77e79c81/FVKt_Y-R1DIF5VWMyQlGuBxa1gU/
Message UUID
FinalHash
![Page 16: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/16.jpg)
16OWASP
Configuration Example for WEB-SPA
User ConfigurationUsername:Password:Action john:smith:msgchris:cooper:linuxssh
Action ConfigurationActionName~#~StartCommand~#~StopCommand~#~Timeout linuxssh~#~service ssh start~#~service ssh stop~#~7
![Page 17: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/17.jpg)
17
© jaybot7.com
![Page 18: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/18.jpg)
18OWASP
Outlook
QR-CodesEasy configuration of mobile devicesDB – backend for configuration
Configurable Hashing / Public Key Cryptography Non-repudiation of originHigher level of securityLonger URL
© searchengineland.com
© blogs.adobe.com
![Page 19: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/19.jpg)
19OWASP
Summary
Web-SPA is:
SIMPLE
SECURE
HIGHLY CONFIGURABLE
© http://jholverstott.files.wordpress.com/
![Page 20: Single Packet Authorization on the WEB -- WEB-SPA · Single Packet Authorization Client Attacker 1 Attacker 2 Attacker 3 Server. OWASP 10 Attacks Latency Denial of Service Replay](https://reader031.fdocuments.in/reader031/viewer/2022013015/5b40c7e87f8b9a5e2c8dabdd/html5/thumbnails/20.jpg)
20OWASP© allthingsd.com