You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*[Authentication and Security Concerns](#authentication-and-security-concerns)
26
26
*[Prevention and Countermeasures](#prevention-and-countermeasures)
27
+
*[Quiz](#quiz)
27
28
28
29
## Confusion with Authorization and Access
29
30
@@ -69,7 +70,6 @@ Open Authorization(OAuth) is a protocol in which a multi-step arrangement genera
69
70
70
71
Originally built for authorization, as it's name suggests, it has evolved for use in the authentication and authorization mechanisms. A very good resource that describes the OAuth in context of it's history and current implementations is here: https://www.youtube.com/watch?v=996OiexHze0
71
72
72
-
73
73
JSON Web Tokens (abbreviated JWT, pronounced "jot")
74
74
Multi-use tokens for authentication and session.
75
75
Three components, header contains information identifying type of token and algorithm used for the signature, payload/body that contains data about the disposition of the token, signature - which serves as an integrity check to establish if the token has been modified or tampered with.
@@ -78,26 +78,32 @@ Base64 encoded and cryptographically signed
78
78
79
79
Tokens, like other authentication credentials, etc. must be protected in transit and at rest.
80
80
81
-
## Authentication Channels
81
+
## Sessions
82
82
83
83
### Description
84
84
85
85
Authentication is the first step a user must complete to access a secure application/data. For an application, that means something must be sent from
86
-
87
86
user->application authentication mechanism
88
87
and from
89
-
application authentication mechanism-> user
88
+
application authentication mechanism-> user -
89
+
90
+
Once an entity is authenticated, subsequent activity/interactions need to be tracked/attributed to the same entity. This is done by
91
+
establishing and manage a Session. This allows a user, once authenticated to have access to the application without having to show their credentials every time they want to perform an action.
92
+
93
+
Sessions save and keep updated the state of a user while the use an application. Opening time and closing time at a museum. A ticket and/or stamp gets you in and you can come and go in areas allowed by public/membership, but once the museum closes, you have to leave and come back another day. If you have a membership or ticket for multiple visits, you have to show your card/ticket at the door again.
90
94
91
-
user presents themselves in-person, or over a channel via electical signals
92
-
application responds over that same channel
95
+
Sessions do something similar this for applications. Depending on the application, howeever, they may be
93
96
94
-
WebSocket Connections ...
97
+
Session and Sessionless
95
98
96
-
Establish/Manage a Session
99
+
Session is being able to come and go so long as you're carrying your membership card.
97
100
98
-
Session-less ... fire and forget
101
+
Session-less ... fire and forget purchasing a single day pass for the museam. You don't get a membership card with your name, and if you're paying cash, probably can't track you individually.
99
102
100
-
## Security Concerns
103
+
104
+
## Authentication and Security Concerns
105
+
106
+
An application's authentication mechanism is a critical component. If not securely designed, it can provide an attack vector for malicious actors to gain access to legitimate user accounts, privileged application features, and
101
107
102
108
Authentication, credentials, should never be stored in cleartext, hardcoded in code base,
103
109
Credential Stuffing Attacks
@@ -110,18 +116,44 @@ Authentication Issues, Weaknesses, Failures make an appearance on multiple lists
110
116
OWASP Top 10 for Web Applications A07:2021-Identification and Authentication Failurs (used to be called Broken Authenticication
111
117
112
118
## Prevention and Countermeasures
119
+
Use built and tested authentication mechanisms in your code language framework. Due to the complexity, it is
113
120
121
+
## Quiz
122
+
Authentication is a key component of an application but given its integration with some of the other concepts mentioned in this module, it's implementation in your products can become complex. This module touched on some of the highlights but please refer to the references below for extensive explainations of authentication and related.
Which of the following OWASP Top 10 Web Application Security Risks are related to the abuse of credentials or flaws in mult-factor authentication implementation?
129
+
1)A02:2021-Cryptographic Failures
130
+
2)A05:2021-Security Misconfiguration
131
+
3)A07:2021-Identification and Authentication Failures
132
+
4)A08:2017-Insecure Deserialization
133
+
134
+
```
135
+
136
+
```
137
+
Which two are examples of a credential that can be used in an application's authentication process?
138
+
1)token
139
+
2)api call
140
+
3)session
141
+
4)username and password
142
+
143
+
```
144
+
```
145
+
Which statement best characterizes how an entity trying to be properly authenticated goes about it?
146
+
1)Hello, I just came from X street and would like to enter your establishment. I am who I say I am and I can show you proof. May I enter?
147
+
2)Let me in, now! Let me in , now! Let me in, now!!!!!
148
+
3)Trust me, I'm harmless
149
+
4)Yes, I know that id doesn't look like me but my friend said I can use it so it's ok
0 commit comments