Credential stuffing prevention

Credential stuffing prevention
0x00 background

The Credential stuffing attack is already one of the Top 10 Security Risks for 2014. No matter how good your website password is, the account password has been leaked during the interview, the defense against credential stuffing is still an important part. In the previous article, we popularized the basic prevention and harm of number scanning.

This article describes in detail how to better prevent credential stuffing and scanning by black products that face technological advances. Because it involves related internal policies, it is just a reference.

Credential stuffing is nothing more than automated or script-based execution of user name and password for login, jump to the 302 status or return features and package size through the page, whether to reset-cookies to determine whether the logon is successful. Which methods can be used to mitigate the batch behavior of malicious users?

 

0x01 details

Generally, traditional enterprises directly add verification codes on login pages. However, because the automated verification code recognition script has long existed, simple verification code recognition is no longer a problem. This method is difficult to prevent targeted malicious attacks.

Secondly, some enterprises that consider user experience will jump out of a Verification code that is difficult to identify by script after the user account or password is entered incorrectly several times (of course, the user is not very good at identification ), because there are few dimensions, it is easier to bypass.

Therefore, we need more policies to increase the costs of attackers and prevent malicious credential stuffing.

We can capture and identify the unique parameters of users for control.

The basic requirements are: Hard to forge, easy to obtain, and long retention time.

Currently, Canvas fingerprint recognition is very popular. The same machine and the same browser Canvas are the same, or even reinstalled. For more information, see http://security.tencent.com/index.php/blog/msg/59.

Test code:

 

 
Flash cookies are often used to prevent credential stuffing. However, safari does not support flash. But it can be one of the important dimensions.
Cookies can be used in a variety of ways, such as whether cookies are contained or not, and a value of cookies is verified.
(1) What is the difference between Flash Cookies and Cookies?
1. The storage size of different cookies is only 4 kb, while flash cookies are stored KB-this is the default one and can be adjusted. 2. The storage duration is different. In general, cookies disappear automatically after a period of time, but flash cookies do not. If you do not delete them, it will always be stored on your computer. 3. users do not need to know the location where the storage location is different from the location where the common cookies are stored, because they can delete them through a lot of software, and even the browser itself has built-in this function. Flash cookies are stored in the C: \ Documents and Settings \ User Name \ Application Data \ Macromedia \ Flash Player folder. The # mongodobjects folder is used to store flash cookies, and macromedia.com stores the global settings of flash cookies.
(2) to realize the permanent storage of Flash cookies, it is clear that Flash cookies and Http cookies must be interconnected first. Therefore, technically speaking, using JavaScript to communicate with ActionScript is obviously the best choice, because in addition to similar syntaxes, there is also a perfect implementation of communication between the two languages. Let's take a look at the implementation process ():

Http://www.biaodianfu.com/flash-cookies.html
Finally, there are some methods for js to obtain user-related data, such as user behavior tracks and user click events to determine Man-Machine behavior.
You can use js-related keydown, keyup, mousedown, mouseup and other event records as needed.
Of course, when there are so many dimension parameters, there is also a parameter that cannot be forgotten, that is, the ip address. Although this restriction is already far from enough for current users, it will have a surprising effect if it is used well.
The following section describes how to create a credential stuffing rule. You need to use your own business and data analysis to develop policies that suit your business.
However, we need to understand that attack and defense are two continuous and constantly improving processes. The strategy should also be changed and optimized.
1. If the password entered by the user is incorrect, no related policy is set for the account to be entered. Different Levels of verification codes are displayed at different levels, and corresponding blocking is performed. 2. For requests of the same ip address and time dimensions, different levels of verification codes are displayed at different levels, and corresponding blocking is performed. 3. If the canvas fingerprint recognition is used, the system checks whether the request submits this parameter. If different security measures are not taken into account. (This item is only one of the dimensions in the case of immature applications) 4. When using flash cookies, the system checks whether the request submission contains this parameter and provides a reasonable security policy for counting the number of requests for a single flash cookies. 5. Use cookies to determine whether a request contains cookies or a specific value of cookies, count the number of requests for a specific value of single cookies or cookies, and give a reasonable security policy. 6. When you use js to obtain the parameter submission, you can determine whether the request contains this parameter, for example, whether the mouse is moved, the keyboard is input, and the input is waiting. A reasonable security policy is given.
0x02 Summary
The policy mentioned above is just a matter of discussion. The specific method is to start from the actual situation based on the current log, and gradually adjust the policy to reach an acceptable point.
The risk of account scanning will continue. We have just announced that a foreign hacker has used 1.2 billion logon passwords. Internet account security events occur frequently, so we should pay more attention to this non-vulnerability, which is a credential stuffing vulnerability.