What happened this Week?

Challenges

• This weeks challenges are going to be harder. But don’t give up!
• All of the challenges from this week forward ARE REALLY VALUABLE

Reports

• Reports are really cool! They tell you,

1. How you found a vulnerability.
2. How bad it is.
3. How to fix it.

• You will be doing this TWICE.

• Keep track of how you are doing things - especially now that challenges are not one step.

Some example reports

• Darkage 6443 report
• Actual Pentest Reports

MAKE THEM FUN

lecture content

What happened in the lecture?

Challenge Topic for this Week

• This week we are looking at AuthN and AuthZ… Anyone know what they are?

Authentication: You are who you say you are.

Authorization: You are only allowed to do, what you should be allowed to do.

• What are some real world examples?

Concert Tickets

Membership Card

UNSW Id

Authentication tells you that you are allowed in.

Authorization tells you where you can go once you are in.

How do we Authenticate in Websites?

…. username and passwords.

What are some common ones?

• admin:admin

• admin:password

• For this course? Probs quocca related things.

• If you are working with a well known library, go look for default credentials!

So when we Authenticate… How do we keep people Authenticated?

Cookies!

• A big ol’ string that stores some information (usually)
• Helps the website remember who you are.
• Ever wondered how it knows who you are every time? Probably was a cookie.

If Bad: Bad.

Cookies store session information. So if they are HACKED then its bad.

Types of Cookies:

• Session tokens (e.g. Flask/Express)
• Database sessions
• JWT (JSON Web Token)

How-to-hack: Cookies

• Modifying them (more on that soon)
• Stealing Cookies.. done though,
  • Cross-site scripting (XSS) [week7/8]
  • MITM attacks
  • Cross-site request forgery (CSRF) [week7/8]
• Forging cookies (called “baking”)

Securing Cookies (Options)

• HTTP-only (prevents XSS)
• secure (prevents MITM)
• same origin (prevents CSRF)
• expiry