I was trying a bug bounty challenge and I was given a vulnerable URL which needs a password to access it.
- Case 1: When I try to do SQL-Injection in Username and Password, I get a page: access denied “Username not found“
- Case-2: If I keep entering random normal usernames and passwords, I get the “Enter username and Password” dialog box, and after so many trials I get the page which says: WWW-Authentication needed!
How are the two scenarios different?
Is Case 1 different than Case 2 in terms of vulnerabilities?
All the Multi Factor Authentication (MFA) mechanisms I have seen were installed on the same “authentication node”. What I mean by that is that a single service (say, an authentication web page, or a VPN access) were doing all the MFA checks in one place (to take the same examples: the web page is going through a login-password-OTP cycle, the VPN is checking the login, password and a certificate).
Ultimately the goal of the MFA system is to ensure that, to access a given service, more than one authentication mechanism is required.
Are there fundamental reasons for these checks not to be split between authentication nodes?
Take for instance an email system which is guaranteed to be reachable only from a given network. In order to access this network, a device must present an individual, user-issued certificate (to a NAC for instance). Or another similar combination of 2+ factors, on different systems tightly bound togather.
Is it acceptable in that case to say the “email access is protected by a MFA”?
If this is not the case, is it a problem:
- with the naming naming (“because the books/standards say that MFA is all on one system”) → that would be annoying and possibly a formal issue, but not a security risk
- of technical nature (as in “this is not secure because …”) → that would be the real showstopper
What I want to do: Lock down the Tech Vlan so that only an approved device AND a user in the tech security group are allocated. I am hoping to achieve this via EAP-TTLS and Windows NPS whereby the machine provides the tunnel then the user authenticates using their normal AD credentials? I don’t want the TECH vlan to be accessible by a non company device.
What do you recommend that I do?
Edit: I feel like I described this poorly. The Tech vlan is just the VLAN I am testing. I want all devices to authenticate via machine auth by default so they can access basic resources such as AD / SCEP etc. But then when the user signs into the device the machine is allocated to the right security vlan. The problem is that I don’t want those same credentials to allow BYOD devices. I hope this makes more sense.
I have implemented a backend as a REST API. To maintain the statelessness in REST, I intend to use JWT to verify that that a user has logged in or not. (A user is logged in if a valid token is present in headers. Not logged in if a token is not present.)
But even with expiration times are set, an attacker can access the REST api by simply copying the JWT from the web browser. What are the methods available to stop this without killing the statelessness?
I was inspecting LDAP packets wit Wireshark today.
When I authenticate with simple bind, I can see the password in plain text and subsequent LDAP requests and responses.
Then I was authenticating with SASL/DIGEST-MD5. I can see the authentication attempts in clear text, except for the hashed credentials. But all subsequent LDAP requests and responses are scrambled. My understanding was that only the authentication is using DIGEST-MD5 and subsequent LDAP packets are unencrypted. When inspecting packet 18, I can see “Lightweight Directory Access Protocol” and underneath it a “SASL Buffer”. So it seems like the LDAP response is indeed encrypted.
Could you shed some light on it, please? And if it’s encrypted, what type of encryption is used?
I want to design an api which an organization is going to use to connect with my server. For a client-server application, a simple jwt-based authentication is done by verifying user credential and generating a token for them.
My question is what should be the process for authenticating another system? How that organization is supposed to receive the credential required to get the authentication token? Like, should i define some static values and tell that organization to use them for authentication? What is the best practice?
Thanks in advance.
I was trying to access my account on an e-commerce website but I couldn’t get my password right. So, the website offered me the option to authenticate using my security code from Google Authenticator alone (my 2-factor authentication method). I was wondering if this is a possible misuse of this concept of multi-factor authentication.
I am working on an admin user panel. While logging in, I have to check if the admin is present in my GraphQL Api’s data or not. If yes, he/she will be given the access to the admin panel. I need to implement this authentication using Apollo.
Now, my question is, do I necessarily need to use Redux here? Or is it possible otherwise if I using useState hooks to store stuff?
A bit new to this so just looking for design guidelines.
when multiple rounds of hashing are performed, why is it that john the ripper cannot crack hashed passwords? (multiple rounds of hashes basically). On the other hand, the system can, however, authenticate a user even when passwords are stored using multiple hashing. how does it do that? is it that John the ripper can only crack 1 level of the hashed password. and the system just matches the hash to the database or something?
I’m working on the authentication scheme for a multiplayer game using only C++ and SLD2.
It’s an RPG with a kind of complicated character-group/permadeath scheme, and world-instances are intended to be hosted by the players. So it matters that players have exclusive access to controlling their characters. I want players to be allowed to save the current state of a multiplayer world instance, close it, and come back to it later, or set up their own dedicated world instance for them and their friends to join/quit/rejoin at will. Absent player characters will simply not be present in the world until their creator returns
Servers will be hosted by player-computers. I’m not planning to set this up with a dedicated hole-punching or identity server, so players will just be playing with people who they intentionally connect to. I don’t want to deal with encryption, so I’m not planning to require passwords to log in. I figure since there’s no formal identity server and no encryption, passwords might do more harm than good. Player character names will change over the course of the game, and I don’t necessarily mind if two players have the same username.
Here’s my current authentication strategy:
When a player creates an account on his game instance, the account will just consist of a username and an automatically generated (random) UUID. The username and UUID will be stored in a SQLite file that the user can copy onto any computer with this game installed, and access their unique account. The username and a naively hashed UUID will be stored in a connection log on every server that the player connects to (so the server can assign them to the right character when they log back in). I recognize this means that programmers who know what they’re doing will be able to hack each other’s accounts, but I’m not convinced that I should really be concerned about that in the case of this particular game.
Here are my questions:
- Is copying the file too much to expect from users who want to switch computers?
- Can you guys think of any potential issues with this, other than what I’ve already pointed out?
- Is there a better (common) way to achieve what I’m trying to do?