Thursday, August 11, 2016

Handling User access (Authentication,Authorization,Accounting,Access Control,Session Management)

                                        Crimson Security Group
                                                              We yearn Security.....

Handling User Access


A central security requirement that virtually any application needs to meet  is controlling users access to its data and functionality. A typical situation has several different categories of user, such as anonymous users, ordinary authenticated users, and administrative users. Furthermore, in many situations different users are permitted to access a different set of data.

 Authentication

Authentication is a process by which you verify that someone is who they claim they are.

This usually involves asking the user for a user name and a password, but it can include any other method of demonstrating identity, for example a smart card, a PIN number, a secret code sent in a letter in the post, a fingerprint scan, and so on.In order to perform authentication, a user must already have an account created in a system which can be interrogated by the authentication mechanism, or an account must be created as part of the process of the very first authentication.

Without this facility, the application would need to treat all users as anonymous

The majority of today’s web applications employ the conventional authentication model, in which the user submits a user name and password, which the application checks for validity 

 

 Authentication mechanisms suffer from a wide range of defects in both design and implementation. Common problems may enable an attacker to identify other users’ user names, guess their passwords, or bypass the login function by exploiting defects in its logic. When you are attacking a web application you should invest a significant amount of attention to the various authentication-related functions it contains. Surprisingly frequently, defects in this functionality enable you to gain unauthorized access to sensitive data and functionality.

Once you have authenticated a user, they may be authorized for different types of access or activity.

Authorization

Authorization is the process of establishing if the user (who is already authenticated), is permitted to have access to a resource. Authorization determines what a user is and is not allowed to do.

For example, data associated with a user may indicate if they are a member of a given group such as “Administrators” or “Customers”, or it may indicate if they have paid a subscription for some paid-for content, or it may indicate that they are still within the 90 day period of a free trial.

Authorization also includes an Authorization Management component, which is a system that provides the functionality to create the authorization rules. For example, it may allow an administrator to create a rule to allow another user to edit or publish content to a website. Authorization Management often uses Groups, Roles, Privileges and Permissions to define these rules.

Accounting 

which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Session Management 
   
     What is session ?  
            
            A session can be defined as a server-side storage of information that is
           desired to persist throughout the user's interaction with the web site or
           web application.  

The next logical task in the process of handling user access is to manage the
authenticated user’s session. After successfully logging in to the application, the user accesses various pages and functions, making a series of HTTP requests from his browser. At the same time, the application receives countless other requests from different users, some of whom are authenticated and some of whom are anonymous. To enforce effective access control, the application needs a way to identify and process the series of requests that originate from each unique user.

Virtually all web applications meet this requirement by creating a session for each user and issuing the user a token that identifies the session. The session  itself is a set of data structures held on the server that track the state of the user’s interaction with the application. The token is a unique string that the application maps to the session. When a user receives a token, the browser automatically submits it back to the server in each subsequent HTTP request, enabling the application to associate the request with that user. HTTP cookies are the standard method for transmitting session tokens, although many applications use hidden form fields or the URL query string for this purpose. If a user does not make a request for a certain amount of time, the session is ideally expired.

In terms of attack surface, the session management mechanism is highly dependent on the security of its tokens. The majority of attacks against it seek to compromise the tokens issued to other users. If this is possible, an attacker can masquerade as the victim user and use the application just as if he had actually authenticated as that user. The principal areas of vulnerability arise from defects in how tokens are generated, enabling an attacker to guess the tokens issued to other users, and defects in how tokens are subsequently handled, enabling an attacker to capture other users’ tokens.

A small number of applications dispense with the need for session tokens by using other means of reidentifying users across multiple requests. If HTTP’s built-in authentication mechanism is used, the browser automatically resubmits the user’s credentials with each request, enabling the application to identify the user directly from these. In other cases, the application stores the state information on the client side rather than the server, usually in encrypted form to prevent tampering



Access Control

It is the process of handling user access is to make and enforce correct decisions about whether each individual request should be permitted or denied.

Access Control is the process of enforcing the required security for a particular resource.Once we know who a user is, and we know what authorization level they have and what we should and should not give them access to, we need to physically prevent that user from accessing anything that they should not be able to. Access Control can be seen as the combination of Authentication and Authorization plus additional measures, such as clock- or IP-based restrictions.

Note that lack of adequate access control is more often the cause of security vulnerabilities in applications than faulty authentication or authorization mechanisms, simply because access control is more complex to implement and becomes more complex as the application being secured becomes more complex itself.




 

 

 

 

 

 


                                                  

No comments:

Post a Comment