1
00:00:00,300 --> 00:00:06,900
‫In this section, we're going to talk about the authentication mechanism flaws and how to beat the authentication

2
00:00:06,900 --> 00:00:07,590
‫mechanisms.

3
00:00:08,610 --> 00:00:17,580
‫Authentication is a process of verification that an individual entity or website is who it claims to

4
00:00:17,580 --> 00:00:17,910
‫be.

5
00:00:18,060 --> 00:00:25,080
‫Authentication in the context of web applications is commonly performed by submitting a username or

6
00:00:25,080 --> 00:00:30,780
‫ID and one or more items of private information that only a given user should know.

7
00:00:31,470 --> 00:00:34,170
‫The authentication process can be two sided.

8
00:00:34,710 --> 00:00:41,070
‫The user can verify the identity of the server while the server authenticate the identity of the user.

9
00:00:41,700 --> 00:00:48,360
‫The application should have a strong password policy and should have prevention methods to dispose of

10
00:00:48,360 --> 00:00:49,620
‫brute force attacks.

11
00:00:50,650 --> 00:00:56,320
‫The authentication methods are displayed in the sly since other methods have some disadvantages.

12
00:00:56,800 --> 00:01:03,120
‫The most commonly used authentication method is form based authentication, form based authentication.

13
00:01:03,120 --> 00:01:08,230
‫These are flexible, so you can use different authentication factors together.

14
00:01:08,650 --> 00:01:14,170
‫In addition, they're able to be used with the proxies and firewalls, et cetera.

15
00:01:15,040 --> 00:01:20,080
‫In most cases, username and password values are used to authenticate a user.

16
00:01:20,560 --> 00:01:23,890
‫In this case, it's vital to have strong passwords.

17
00:01:24,870 --> 00:01:28,650
‫Therefore, the application should have a strong password policy.

18
00:01:29,070 --> 00:01:36,510
‫Here is an example for a good password policy, password must meet at least three out of the four following

19
00:01:36,510 --> 00:01:44,580
‫complexity rules at least one uppercase character at least one lowercase character, at least one digit

20
00:01:44,580 --> 00:01:50,400
‫and at least one special character password must have at least 10 characters.

21
00:01:51,350 --> 00:01:58,220
‫And you cannot use more than two identical characters in a row, for instance, one one one is not alone.

22
00:01:59,380 --> 00:02:02,230
‫There are three factors in authentication mechanisms.

23
00:02:02,560 --> 00:02:10,420
‫One, the knowledge factors, something the user knows password, partial password, passphrase or pin,

24
00:02:10,420 --> 00:02:20,020
‫etc. to the ownership factors, something the user has an ID card security token cell phone with built

25
00:02:20,020 --> 00:02:22,780
‫in hardware, token, software token, etc..

26
00:02:23,230 --> 00:02:23,650
‫Three.

27
00:02:24,520 --> 00:02:32,500
‫The inherent factor something the user is or does a fingerprint, retinal pattern, DNA sequence, signature,

28
00:02:32,500 --> 00:02:37,300
‫face, voice, etc. And there are three types of authentication.

29
00:02:37,360 --> 00:02:44,650
‫One Single factor authentication as the weakest level of authentication, only a single component from

30
00:02:44,650 --> 00:02:49,540
‫one of the three categories of factors is used to authenticate an individual's identity.

31
00:02:50,260 --> 00:02:50,740
‫Two.

32
00:02:50,770 --> 00:02:53,200
‫Two factor authentication one.

33
00:02:53,200 --> 00:02:56,840
‫Elements representing two factors are required for authentication.

34
00:02:56,860 --> 00:02:58,030
‫The term is applied.

35
00:02:58,240 --> 00:03:03,220
‫For example, a bank card, something the user has and a pin, something the user knows.

36
00:03:03,940 --> 00:03:04,390
‫Three.

37
00:03:05,260 --> 00:03:11,890
‫Multi-factor authentication Instead of using two factors, multiple authentication factors are used

38
00:03:11,920 --> 00:03:13,180
‫to enhance security.

39
00:03:13,900 --> 00:03:21,040
‫So while trying to bypass authentication mechanisms first, we try to find out valid credentials for

40
00:03:21,040 --> 00:03:21,640
‫this purpose.

41
00:03:22,580 --> 00:03:29,420
‫Let's first attempt to log in to the application using valid and invalid username password pairs.

42
00:03:29,990 --> 00:03:34,370
‫Analyze the reactions of the application in case of different login attempts.

43
00:03:35,030 --> 00:03:39,050
‫Examine the error codes and error pages returned after these attempts.

44
00:03:39,590 --> 00:03:44,330
‫Try to reach restricted pages and see if there are adequate access controls.

45
00:03:44,630 --> 00:03:46,670
‫Examine the responses of the application.

46
00:03:47,560 --> 00:03:53,470
‫Don't forget to try the default username and password we can use the username and password policies

47
00:03:53,470 --> 00:03:55,360
‫of the company who owns the application.

48
00:03:55,540 --> 00:04:01,690
‫If we were able to find the policies while gathering information in some of the applications, there

49
00:04:01,690 --> 00:04:05,770
‫are password recovery mechanisms such as hidden questions.

50
00:04:06,190 --> 00:04:08,470
‫You should examine these mechanisms closely.

51
00:04:08,890 --> 00:04:13,990
‫If the answer space is big enough, for example, to fit the answer for what's your favorite color?

52
00:04:14,650 --> 00:04:15,400
‫Is it big enough?

53
00:04:16,720 --> 00:04:24,190
‫We can talk about two basic types of online password cracking brute force attacks work by calculating

54
00:04:24,190 --> 00:04:30,340
‫every possible combination that could make up a password and testing it to see if the password is correct.

55
00:04:31,000 --> 00:04:37,810
‫As the password length increases, the amount of time on average to find the correct password increases

56
00:04:37,840 --> 00:04:42,460
‫exponentially as you see the possibility to find a password.

57
00:04:42,470 --> 00:04:50,050
‫Using brute force attack is theoretically 100 percent, but cracking the password can take many years,

58
00:04:50,290 --> 00:04:52,000
‫depending on the password complexity.

59
00:04:52,540 --> 00:04:58,810
‫So to make the possible value set smaller, it's better to use this method if we know something which

60
00:04:58,810 --> 00:05:05,680
‫will reduce the number of tries, such as the length of the password, since users tend to use known

61
00:05:05,680 --> 00:05:08,530
‫words in dictionary attack.

62
00:05:08,980 --> 00:05:12,700
‫We use previously prepared dictionaries to find the passwords.

63
00:05:13,450 --> 00:05:20,020
‫It's a smarter method compared to brute force attacks and reduces the number of tries dramatically.

64
00:05:21,020 --> 00:05:24,800
‫But in this case, finding the password is not guaranteed.

65
00:05:25,840 --> 00:05:29,440
‫You can find the password only if it's not complicated enough.

66
00:05:30,130 --> 00:05:36,460
‫It's possible to prepare SECTOR-SPECIFIC or company specific dictionaries to increase the chance.