2017 OWASP Top 10: Broken Authentication
Вставка
- Опубліковано 16 вер 2024
- New 2021 OWASP Lightboard Series:
• 2021 OWASP Top Ten
Video 2/10 on the 2017 OWASP Top Ten Security Risks.
John Wagnon discusses the details of the #2 vulnerability listed in this year's OWASP Top 10 Security Risks: Broken Authentication. Learn about this security risk and how to guard against it.
community.f5.c...
Having a shirt with a mirrored logo so it looks correct after processing the video is great attention to detail! As a side benefit, it might be entertaining to see how many people notice when wearing the shirt in public.
I noticed that too , to be honest. I like it
just for that detail alone this dude gained my sub
Thank you for the quick and straightforward explanations :)
Glad you enjoyed it!
So, credential stuffing is like a dictionary attack and automated attack is more of a brute force.
I think credential Stuffing is like brute force using rainbow tables (hashes stolen from previous breaches) and automated attack is like password cracking or password guessing attack /dictionary attack
This is a hard one, it is extremely difficult to stop multiple username password attack on microservices in parallel from multiple addresses.
Thanks for the amazing breakdown @F5 DevCentral. I was wondering where token authentications like jwt and passport come into play?
Great Explanation
Glad you enjoyed it!
Congrats for this video! It helped me a lot!
i'm glad you enjoyed it!
amazing video!
Glad you enjoyed it!
great sir
Very helpful for me
glad you enjoyed it!
8:41
if initial sessionID is thrown away and the server creates a brand new session id(that is not sent to the browser i suppose?) to interact with the client, how would the server now verify the client ?
I have the same doubt !! I guess the session id is shared with Browser or else it would not make sense 😅
I believe once a session has been closed, you need to wait for some time and reenter credentials again. Best example - Logging on to banking websites
A random session id is generated by the server (preferably one which is complex and random enough so that it is impossible to generate a valid one by luck) and sent to the browser. This random session id should only be valid for a certain duration and definitely be invalidated on logout and idleness.
For further reference: codeahoy.com/2016/04/13/generating-session-ids/
Would have been better, if John would suggest how F5 Web Application Firewall or any other F5 products protects from broken authentication problem or any other OWASP top 10 issues.
thanks for the comment, fahimuel! We will be releasing videos very soon that show exactly what you mentioned...how the F5 ASM can guard against these attacks. Stay tuned!
Web application firewall is one of secondary preventing method. but basically industry using some of primary methods. it's like Password complexity, length, username/password enumeration and protect from brute force login
@@devcentral if failed login locks is one of the possible protection mechanism then i suppose an attacker who wants to deny users from accessing their services would succeed. Is there a way F5 WAF can prevent distributed brute Force login attacks without locking legitimate users out? Maybe by geolocation or the usual device IDs of a legitimate user?
@@davisli great question! The Advanced WAF has functionality that protects against this type of behavior by using device ID fingerprinting and IP reputation along with other features like Datasafe. Here are a couple of videos that might help...
Datasafe: ua-cam.com/video/zys1z1peDkw/v-deo.html
Credential Protection: ua-cam.com/video/Y0fPpc0YHg0/v-deo.html
F5 Advanced WAF: ua-cam.com/video/HBbDKBV4QW0/v-deo.html
Hope this helps!
Useful information. Thank you.
05:31 best practices
sir what purpose using session id
how to solve?
credential stuffing
automated attacks
top 10000 passwords
how to break?
multifactor auth
password check (that not top 10000)
password complexity
firewall
Stopped watching at "password complexity" being suggested as a solution to any problem.
ok buddy
But why? This is one of the basic and cost effective controls. Dont you think?
How are you writing in reverse?
Thanks for the comment and a common question we get! This is how: ua-cam.com/video/U7E_L4wCPTc/v-deo.html