CENTER STAGE 1

OWASP ľOP
G
Vul⭲cíablc a⭲d
 Outdatcd
Compo⭲c⭲ts
What are Vulnerable and Outdated Components?
It refers to the use of open-source or proprietary code that contains
software vulnerabilities or is no longer maintained. This code can be
in the form of libraries or frameworks, and for web applications, this
can include Laravel (PHP), Angular (JavaScript), Django (Python),
and many others.

The risk of using vulnerable and outdated components is that

attackers can exploit them to gain unauthorized access to a web
application or its data. This can lead to a variety of security problems,
such as data breaches, financial losses, and reputational damage.
Some common issues with Vulnerable and Outdated
Components include:
•Lack of Awareness - Many may not be aware of the latest security
vulnerabilities or have a process to identify and mitigate risks.
•Lack of Resources - Some organizations may not have the staff or the
budget to keep their components up to date, or they may not have the tools
to identify and mitigate risks.
•Lack of Documentation - Some organizations may not have good
documentation of their software dependencies. This can make it difficult to
identify and track vulnerable and outdated components.
•Lack of Security Culture - Some organizations may not have a strong
security culture. This can lead to complacency and a lack of attention to
security risks.
How Can You Protect Against Vulnerable and Outdated
Components?

The key to protecting against vulnerable and outdated

components is to be proactive and have a process to identify
and mitigate risks.
This means being aware of the latest security vulnerabilities,
using tools to identify vulnerable and outdated components,
and patching vulnerabilities promptly. It also means having a
process to manage security risks, such as a secure
development lifecycle and security training for staff.
How to mitigate the risk of vulnerable and outdated
components:
•Regular software updates:
Maintain all software components with the latest patches and updates to
address known vulnerabilities.
•Dependency management:
Actively manage and monitor third-party libraries used in your applications,
ensuring they are updated and not flagged as vulnerable.
•Vulnerability scanning:
Utilize security tools to scan your system for potential vulnerabilities and
identify outdated components.
•Proper vetting:
Carefully review third-party components before integrating them into your
application to ensure their security and support status.
What are Third-Party Software/s?
A third-party software functions by providing additional
features or functionalities to an existing platform or
application, developed by a company other than the original
software vendor, allowing users to expand capabilities
without building everything from scratch, often by
integrating pre-built components through APIs to enhance
the overall user experience; essentially, it acts as an add-on
or extension to the primary software, offering specialized
features not natively available.
Examples of third-party software/s:
•Web browsers: Google Chrome, Mozilla Firefox, and
Microsoft Edge
•Office suites: Microsoft Office and Google Docs
•Graphics software: Adobe Photoshop and GIMP
•Audio and video editors: Audacity, Ocenaudio, and iMovie
•Development tools: Eclipse and Android Studio
•Security software: McAfee and Norton
•PDF readers: Adobe Reader and Foxit Reader
•Multimedia programs: VLC Media Player and iTunes
•Antivirus programs: Kaspersky and Norton
•Communications apps: Skype
 CENTER STAGE 1

OWASP ľOP
7
Idc⭲tificatio⭲ a⭲d
Authc⭲ticatio⭲
Ïailuícs
 Identification and authentication
failures occur when applications don't
properly secure user verification and
identification processes. This can leave
applications vulnerable to attacks like
credential stuffing, session hijacking, and
brute-force attacks.
Examples of identification and authentication failures:

Credential Stuffing
This is an attack that leverages a stolen or leaked database of credentials
and automatically attempts to login with them and gain access to a
system or resource. This attack is effective because many users reuse the
same credential combinations across multiple sites.

How do attackers obtain these passwords? As one example, Ubiquiti, a

large IoT vendor, was breached in 2022 through a third party cloud
provider. The attacker accessed the Ubiquiti database and stole personal
information and credentials, like passwords. These stolen passwords can
be used in credential stuffing attacks.
What happened?
•The hacker had root access to all of Ubiquiti's AWS (Amazon Web Services) accounts.
•The hacker used a backdoor in Ubiquiti's infrastructure to exfiltrate data.
•The hacker published misleading news articles about the breach.
•Ubiquiti's share price dropped significantly.

What did Ubiquiti do?

•Ubiquiti investigated the breach and removed the backdoor.
•Ubiquiti notified users to change their passwords and enable two-factor
authentication.

What did the government do?

•The United States Attorney for the Southern District of New York charged the
former employee.
What did Ubiquiti do in response to media reporting?
•Ubiquiti sued Brian Krebs for defamation over his reporting on the breach.
•The dispute was resolved outside of court in September 2022.
Brute Force Attacks

As their name suggests, brute force attacks automatically attempt every

possible valid combination for a password. This type of attack uses
massive amounts of processing power to methodically guess the
password used. Brute force attacks are efficient for passwords that are
short in length, simple and include dictionary words.

These attacks are simple because many people still use weak passwords,
such as "password123" or "1234," or practice poor password etiquette,
such as using the same password for multiple websites. Passwords can
also be guessed by hackers that do minimal reconnaissance work to crack
an individual's potential password, such as the name of their favorite
sports team.
For example, imagine you have a small padlock with 4
digits, each from 0-9. You forgot your combination, but you
don't want to buy another padlock. Since you can't
remember any of the digits, you have to use a brute force
method to open the lock.

So you set all the numbers back to 0 and try them one by
one: 0001, 0002, 0003, and so on until it opens. In the
worst case scenario, it would take 10 4, or 10,000 tries to
find your combination.
Session Identifier Exposed in the URL
When a user opens an internet browser, the browser (front) sends a
request to the web server. This creates a unique identifier called a
Session ID. This Session ID identifies the communication between that
specific user and the application (web server). Cookies are normally used
to store session IDs.
However, when the session ID is included in the URL, the attacker can
sniff the network, access web history information or read the network
logs, and obtain a user’s session ID. Then, the attacker can use it to
impersonate a valid user and attack the network.
Here are some examples of session identifier exposed in the URL:
•/buyProduct?productID=4587&discountCode=AZ9KL&sessionID=890AM
E87623LK78OP
•/adminPage;jsessionid=RmpaJPhP0fl1KOer21CjKJolMs4DF5
How Can Identification and Authentication Failures
be Prevented?

There are multiple methods that IT and security teams can use for
preventing identification and authentication failures. Mainly:

Requiring Strong Passwords

Strong passwords include numbers and symbols as well as letters (mixed
uppercase and lowercase characters), and must have 8 characters at least
(we recommend 10!). Also, a good password policy includes a password
rotation (every 90 days) and avoiding the reuse of previous passwords.
Securing Password Data Stores

Passwords must not be stored in plain text. If an attacker accesses a database, they
can compromise every user account. So, passwords should be processed with a
cryptographic hash algorithm before being stored in the database. That hash can’t be
reversed. A good hash algorithm to use is bcrypt.

Nowadays, hackers have created rainbow tables, which is a lengthy database with
users and their correspondent hashes. If they steal a database of users and hashes,
they can search in these rainbow tables and can find the real password.

To protect against rainbow table attacks, you can salt your password hashes. This
means adding an element of randomness to the hashing algorithm so the input
password does not solely determine the generated hash. This salt should be stored
separately from the users and password data.
Personal Password Vaults

It is recommended to avoid users from using

passwords altogether. By using a personal
password vault instead of a central password
database, organizations can ensure attackers do
not have a single resource to attack if they want to
compromise passwords. In addition, this provides a
passwordless user experience, making password
attacks redundant.
Securing the Logout/Login Function

The Logout function is just as important as the Login. Your

session logout function should:

•Clear the session cookie in the browser.

•Invalidate the session identifier if this is stored on the server.
This is basic protection against attackers who capture or
intercept a session cookie and want to reestablish a session
using it. It is also important to change the session ID when a
user logs in the application and invalidate the previous session
ID used. This method prevents session fixation attacks.
Securing Password Resets
Password reset or forgot-password processes must be secure. It
is recommended to:

1. Send the user an email with a password-reset link,

containing a validation token.
2. When the user opens the email and clicks the link, you can
validate the incoming token, and allow the user to choose a
new password for their account.
3. The password-reset links must be short-lived (about 15 or
30 minutes) and must expire after the user uses them.
Multi-Factor Authentication

Why only use one method to authenticate users when a system

can use more than one authentication method or factor? This is
called multi factor authentication (MFA) and it is by far the best
defense against the majority of password-related attacks. The
most popular form of MFA is the one-time passcode (OTP, an
authentication standard where a constantly changing code is
provided by the user) sent by SMS or email, mostly because a
large portion of the world population has access to mobile
phones or an email service. Much stronger form of MFA
includes biometrics and certificates.
MFA can be strengthened by the review of the IP address of the
authentication request.

That IP can be suspicious:

•If the IP is different than the previously used.

•If the IP corresponds to another country or location.
•If the IP is included in the known block lists.

If MFA is not possible to implement, alternative defenses like

PINs (personal identification numbers) and security questions
can provide additional security to the system.
Preventing User Enumeration
If an attacker can’t enumerate users, it is more difficult to
compromise the authentication system. Here are some
recommendations:

•Show generic error messages to prevent the attacker from

inferring the user’s identification. For example: “invalid user or
password”, rather than just “invalid password”.
•In the password-reset function don’t show a message revealing
that a username exists. For example: when a user requests a
password-reset link the system can show the message “Check
your inbox.”
CAPTCHA

CAPTCHA (Completely Automated Public Turing test to

tell Computers and Humans Apart) is a method to
prevent automated attacks. It is based on a challenge-
response model as a way to differentiate human beings
from automated scripts. CAPTCHA’s work by presenting a
test that is easy for humans to pass but difficult for
computers to pass. The best known implementation is
Google reCAPTCHA.
Multi-Step Login Processes

This is an interesting way to foil an automated cyber

attack. Most applications use a single step login form
including the credentials (user and password). The
request is sent to the web server and the response
indicates if the login was successful. If the process is
executed in two (or more) steps using an CSRF (Cross Site
Request Forgery) Token, first requiring username and
then the password sequentially, this makes it more
difficult to perform an automated attack.
Multi-Step Login Processes

This is an interesting way to foil an automated cyber

attack. Most applications use a single step login form
including the credentials (user and password). The
request is sent to the web server and the response
indicates if the login was successful. If the process is
executed in two (or more) steps using an CSRF (Cross Site
Request Forgery) Token, first requiring username and
then the password sequentially, this makes it more
difficult to perform an automated attack.