The problems of web security learning-verification mechanism

The authentication mechanism is the central mechanism for the application to defend against malicious attacks. It is at the forefront of the defense's unauthorized, and if users can break through those defenses, they can usually control the full functionality of the application and freely access the data. Lack of security and stability of the authentication mechanism, other core security mechanisms (such as reply management and access control) can not be effectively implemented.

Common validation mechanisms for Web applications are:

1) Validation based on HTML forms (most commonly used)

2) multivariate mechanisms, such as combination ciphers and physical tokens

3) client SSL certificate or smart card (very expensive)

4) HTTP basic and Digest authentication (more intranet use)

5) using NTLM or Kerberos to consolidate Windows authentication

6) Verification Service

Let's talk about some of the problems that may exist in the validation mechanism. It is divided into two aspects, namely design defects and implementation defects.

Design flaws in the validation mechanism:

1) Password confidentiality is not strong: using a very short or blank password, the commonly used dictionary vocabulary or name for the password, password and user name exactly the same, still use the default password, the presence of these situations prone to violent cracking.

2) Brute Force attack login (allow attackers to repeat login attempts with different passwords)

3) Detailed failure information (display is the user name or password error, the attacker can easily determine the valid user name as the basis for subsequent attacks)

The user name can be enumerated with detailed failure information, and then the password is guessed based on the user name.

4) Certificate transfer is vulnerable (using a non-encrypted HTTP connection, the application handles the certificate in an unsafe manner)

Make a successful login, monitor all the traffic between the client and server, determine each case where the certificate is transmitted in a round-trip direction, and if a certificate is found to be submitted via a URL string or cookie, the idea is to figure out what the developer is doing. It is not safe to use both HTTP protocols or query string delivery.

5) Password modification function (allow detailed error information, indicating whether the requested user name is valid, allow the attacker to unlimited guessing the existing password field, after verifying the existing password, only check the new password and Confirm password)

Using invalid users, invalid existing passwords and mismatched "New password" and "Confirm password" values to submit various requests to the password modification feature to try to determine any behavior that can be used for user name enumeration and brute force attacks.

6) Forgot password function

User name enumeration, challenge response problem

7) Remember me function

Remember that my feature is executed through a simple cookie, which may cause the cookie value to be inferred to avoid landing

8) User Camouflage function (resulting in vertical lifting power, etc.)

9) Incomplete certificate validation (truncation of password, only the first n characters, not the case of the password, delete the characters that are not used)

10) non-unique user name (enumeration, revealing the password of another account)

11) Predictable User name

12) Predictable initial password

13) Certificate assignment is not secure (via mail or mail password, activation URL shows a certain order)

Validation mechanism execution defect:

1) Fail-Open login mechanism (logic defect,

2) defects in multi-stage login mechanism

Some applications use a well-designed multi-stage login mechanism, such as entering a user name and password, in response to a challenge, a special number in a PIN or a memorable word that submits a value displayed on a changing physical token.

3) Unsafe certificate store

Storing certificates in clear text

The above loses the verification mechanism may exist some problems, the following is how to ensure the security of the authentication mechanism,

The following factors need to be considered when designing security mechanisms:

The degree of security of the functionality provided by the application

User tolerance and acceptance of different types of validation controls

The cost of supporting a user interface system that is not friendly

The financial cost of competitive solutions relative to the revenue that the application may generate or the value of the assets it protects

Here's how:

1) Use a reliable certificate (strong password, unique user name, random)

2) Secure processing certificate (use HTTPS to load login form)

3) Correct confirmation of the certificate

4) Prevent Information disclosure

5) Prevent brute force attacks

6) Prevent misuse of password modification function

7) Prevent misuse of account recovery function

8) logging, monitoring and notification

The problems of web security learning-verification mechanism