Summary

Authentication plays a critical role in the security of any web site with sensitive or confidential information. Table 4-2 summarizes the authentication methods we have discussed in this chapter.

Web sites have different requirements, and no one method is best for authentication. However, using these basic security design principles can thwart many of the attacks described in this chapter:

  • A strong password policy and account lockout policy will render most attacks based on password guessing useless.

  • Don't use personally identifiable information for credentials! They aren't really secret and they expose your business to liability if you store them.

  • HTTPS should be used to protect authentication transactions from the risk of eavesdropping and replay attacks.

  • Input validation goes a long way in preventing hacking on a web site. SQL injection, script injection, and command execution can all be prevented if input validation is performed.

Table 4-2: A Summary of the Web Authentication Mechanisms Discussed So Far

Authentication Method

Security Level

Server Requirements

Client Requirements

Comments

Basic

Low

Valid accounts on server

Most popular browsers support

Transmits password in cleartext

Digest

Medium

Valid accounts with cleartext password available

Most popular browsers support

Usable across proxy servers and firewalls

PassMark/ SiteKey

High

Custom software integration

Browser, devices must be registered for 2-factor authentication

New in 2005, offers server authentication to mitigate phishing

One-time Password

High

Custom software integration

Requires outboard device

Client devices, distribution costs

Integrated Windows

High

Valid Windows accounts

Most popular browsers (may need add-on) support

Becoming more popular due to browser support

Certificate

High

Server certificate issued by same authority as client certs

SSL support, client-side certificate installed

Certificate distribution can be an issue at scale

  • Ensure that authorization security tokens like session identifiers aren't easily predictable, and that they are generated using a sufficiently large key space that they can't easily be guessed.

  • Don't forget to harden identity management systems like account registration and credential reset, as weaknesses in these systems can bypass authentication controls altogether.



Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net