WEB-VULN-01 & WEB-AUTH-01

Vulnerable Components & Authentication

CMU540: Cyber Security - Session 7

Birmingham Newman University

Lecturer: James Williams

Understanding third-party vulnerabilities and authentication failures

3-hour session • 30 slides • 2 interactive tasks

Session Timeline:

10 min: Registration & waiting
20 min: Opening slides
45 min: Task 1
15 min: Break/Catch up
20 min: Secondary slides
45 min: Task 2
Remaining: Self-study

Learning Objectives

Understand OWASP A06: Vulnerable Components & A07: Authentication Failures
Identify third-party component vulnerabilities
Learn secure authentication practices
Practice vulnerability discovery using OS³ Studio
Implement secure component management and authentication
Explore career opportunities in security engineering

OWASP A06: Vulnerable Components & A07: Authentication Failures

A06: Using components with known vulnerabilities exposes applications to attacks

A07: Authentication failures allow attackers to compromise user accounts

Key Areas:

Third-party library vulnerabilities
Weak authentication mechanisms
Session management flaws
Credential stuffing attacks

Real-World Impact

Notable Breaches:

Equifax (2017): Apache Struts vulnerability exposed 147M records
Target (2013): Weak authentication led to 40M credit cards stolen
LinkedIn (2012): Weak password hashing exposed 6.5M passwords

Impact: Data breaches, financial loss, reputation damage

Common Vulnerable Components

1. Web Frameworks

<!-- VULNERABLE: Outdated framework -->

<dependency>

  <groupId>org.apache.struts</groupId>

  <artifactId>struts2-core</artifactId>

  <version>2.3.16</version>  <!-- Known vulnerabilities -->

</dependency>

<!-- SECURE: Updated framework -->

<dependency>

  <groupId>org.apache.struts</groupId>

  <artifactId>struts2-core</artifactId>

  <version>2.5.30</version>  <!-- Latest secure version -->

</dependency>

2. JavaScript Libraries

<!-- VULNERABLE: jQuery 1.6.2 -->

<script src="https://code.jquery.com/jquery-1.6.2.min.js"></script>

<!-- SECURE: jQuery 3.6.0 -->

<script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>

Component Vulnerability Scanning

1. Automated Scanning Tools

<!-- Security scanning tools -->

npm audit                    # Node.js dependencies

composer audit              # PHP dependencies

pip-audit                   # Python dependencies

mvn org.owasp:dependency-check-maven:check  # Java Maven

<!-- Commercial tools -->

Snyk, WhiteSource, Sonatype Nexus

2. Vulnerability Databases

CVE: Common Vulnerabilities and Exposures
NVD: National Vulnerability Database
OWASP Dependency Check: Open source scanner

Common Authentication Failures

1. Weak Password Policies

<!-- VULNERABLE: Weak password policy -->

function validatePassword(password) {

  return password.length >= 6;  // Too weak
}

<!-- SECURE: Strong password policy -->

function validatePassword(password) {

  if (password.length < 12) return false;

  if (!/[A-Z]/.test(password)) return false;

  if (!/[a-z]/.test(password)) return false;

  if (!/[0-9]/.test(password)) return false;

  if (!/[^A-Za-z0-9]/.test(password)) return false;

  return true;
}

2. Brute Force Vulnerabilities

<!-- VULNERABLE: No rate limiting -->

POST /login

Content-Type: application/json

{"username": "admin", "password": "password123"}

<!-- SECURE: Rate limiting implemented -->

if (failedAttempts > 5) {

  accountLocked = true;

  lockoutDuration = 30 * 60 * 1000; // 30 minutes
}

Session Management Flaws

1. Predictable Session IDs

<!-- VULNERABLE: Predictable session ID -->

session_id = username + timestamp;  // Predictable

<!-- SECURE: Random session ID -->

session_id = crypto.randomBytes(32).toString('hex');

<!-- SECURE: Session configuration -->

session.cookie_httponly = 1

session.cookie_secure = 1

session.cookie_samesite = "Strict"

2. Session Fixation

<!-- VULNERABLE: Session fixation -->

// Attacker sets session ID

// User logs in with attacker's session ID

// Attacker gains access

<!-- SECURE: Regenerate session on login -->

session_regenerate_id(true);  // PHP

request.session.regenerate()  // Django

Credential Stuffing Attacks

Attack Scenario:

<!-- Attack process -->

1. Obtain username/password lists from breaches

2. Use automated tools to test credentials

3. Exploit successful logins

<!-- VULNERABLE: No protection -->

POST /login

{"username": "user@example.com", "password": "password123"}

<!-- SECURE: Multi-factor authentication -->

POST /login

{"username": "user@example.com", "password": "password123", "totp": "123456"}

Impact: Account takeover, data theft, financial fraud

Multi-Factor Authentication (MFA)

1. TOTP Implementation

<!-- SECURE: TOTP implementation -->

const speakeasy = require('speakeasy');

// Generate secret

const secret = speakeasy.generateSecret({

  name: 'MyApp',

  issuer: 'MyCompany'
});

// Verify token

const verified = speakeasy.totp.verify({

  secret: user.secret,

  encoding: 'base32',

  token: userInput,

  window: 2
});

2. SMS and Email MFA

<!-- SECURE: SMS MFA -->

const code = Math.floor(100000 + Math.random() * 900000);

await sendSMS(user.phone, `Your code: ${code}`);

session.mfaCode = code;

session.mfaExpiry = Date.now() + 300000; // 5 minutes

Career Opportunities in Security Engineering

Security Engineering Roles:

Security Engineer: £40,000 - £80,000
Application Security Engineer: £45,000 - £90,000
DevSecOps Engineer: £45,000 - £90,000
Security Architect: £60,000 - £120,000
Penetration Tester: £35,000 - £70,000

Skills Needed: Security engineering, Risk assessment, Compliance, System design

Industry Certifications

Security Engineering Certifications:

CISSP: Certified Information Systems Security Professional
CISM: Certified Information Security Manager
CISA: Certified Information Systems Auditor
OSCP: Offensive Security Certified Professional
CEH: Certified Ethical Hacker

Resources: ISC² | Offensive Security

OS³ Newman Cyber Security Lab

WEB-VULN-01 & WEB-AUTH-01 Lab Environment

Our OS³ Studio provides hands-on experience with:

Vulnerable applications with outdated components
Weak authentication mechanisms
Secure implementation challenges
Component management best practices

Access: Available through university portal

Web Demos and Tools

Security Testing Tools:

Snyk - Vulnerability scanning
OWASP Dependency Check - Open source scanner
Burp Suite - Web application security testing
OWASP ZAP - Open source web app scanner
Have I Been Pwned - Breach database

Case Study: Equifax Breach

2017 Equifax Data Breach

Impact: 147 million records exposed
Cause: Unpatched Apache Struts vulnerability (CVE-2017-5638)
Method: Remote code execution via file upload
Cost: $1.4 billion in settlements

Lesson: Unpatched components can lead to catastrophic breaches

Summary: Common Vulnerabilities

                    Key Vulnerabilities to Look For:
                    Outdated third-party components
Weak password policies
Missing rate limiting
Predictable session IDs
Session fixation vulnerabilities
Missing multi-factor authentication
Insecure credential storage

                

Task 1: Component & Authentication Vulnerability Discovery

Objective:

Use OS³ Studio to identify vulnerable components and authentication failures in the lab environment.

Instructions:

Access the OS³ Studio vulnerable application
Scan for outdated components and libraries
Test for weak authentication mechanisms
Attempt brute force attacks
Test for session management flaws
Look for credential stuffing opportunities
Document all findings with proof of concept
Prepare a vulnerability assessment report

Time: 45 minutes

Focus on systematic testing and thorough documentation

Break Time

15 Minutes

Take a break, ask questions, or catch up on the previous task.

Next: Secure implementation and Task 2

Secure Component Management

1. Dependency Management

<!-- SECURE: Automated dependency updates -->

# package.json

"scripts": {

  "audit": "npm audit",

  "audit:fix": "npm audit fix",

  "update": "npm update"
}

# CI/CD pipeline

- name: Security Audit

  run: npm audit --audit-level=moderate

- name: Update Dependencies

  run: npm update

2. Vulnerability Monitoring

<!-- SECURE: Automated vulnerability scanning -->

# GitHub Actions

- name: Run Snyk to check for vulnerabilities

  uses: snyk/actions/node@master

  env:

    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  with:

    args: --severity-threshold=high

Secure Authentication Implementation

1. Password Hashing

<!-- SECURE: Password hashing -->

const bcrypt = require('bcrypt');

const saltRounds = 12;

async function hashPassword(password) {

  return await bcrypt.hash(password, saltRounds);
}

async function verifyPassword(password, hash) {

  return await bcrypt.compare(password, hash);
}

2. Rate Limiting

<!-- SECURE: Rate limiting -->

const rateLimit = require('express-rate-limit');

const loginLimiter = rateLimit({

  windowMs: 15 * 60 * 1000, // 15 minutes

  max: 5, // 5 attempts per window

  message: 'Too many login attempts, try again later',

  standardHeaders: true,

  legacyHeaders: false
});

app.use('/login', loginLimiter);

Session Security

1. Secure Session Configuration

<!-- SECURE: Session configuration -->

app.use(session({

  secret: process.env.SESSION_SECRET,

  resave: false,

  saveUninitialized: false,

  cookie: {

    secure: true,

    httpOnly: true,

    maxAge: 30 * 60 * 1000, // 30 minutes

    sameSite: 'strict'

  }
}));

2. Session Regeneration

<!-- SECURE: Session regeneration on login -->

app.post('/login', async (req, res) => {

  const { username, password } = req.body;

  const user = await authenticateUser(username, password);

  if (user) {

    req.session.regenerate(() => {

      req.session.userId = user.id;

      res.redirect('/dashboard');

    });

  }
});

Multi-Factor Authentication Implementation

1. TOTP Setup

<!-- SECURE: TOTP setup -->

const speakeasy = require('speakeasy');

app.post('/setup-mfa', async (req, res) => {

  const secret = speakeasy.generateSecret({

    name: 'MyApp',

    issuer: 'MyCompany',

    length: 32

  });

  await saveUserSecret(req.user.id, secret.base32);

  res.json({ qr: secret.otpauth_url });
});

2. MFA Verification

<!-- SECURE: MFA verification -->

app.post('/verify-mfa', async (req, res) => {

  const { token } = req.body;

  const userSecret = await getUserSecret(req.user.id);

  const verified = speakeasy.totp.verify({

    secret: userSecret,

    encoding: 'base32',

    token: token,

    window: 2

  });

  if (verified) {

    req.session.mfaVerified = true;

    res.redirect('/dashboard');

  }
});

Account Security Measures

1. Account Lockout

<!-- SECURE: Account lockout -->

async function handleFailedLogin(userId) {

  const attempts = await getFailedAttempts(userId);

  if (attempts >= 5) {

    await lockAccount(userId, 30 * 60 * 1000); // 30 minutes

    await sendSecurityAlert(userId);

  } else {

    await incrementFailedAttempts(userId);

  }
}

2. Password Reset Security

<!-- SECURE: Password reset -->

async function requestPasswordReset(email) {

  const user = await findUserByEmail(email);

  if (user) {

    const token = crypto.randomBytes(32).toString('hex');

    await saveResetToken(user.id, token, 15 * 60 * 1000); // 15 minutes

    await sendPasswordResetEmail(email, token);

  }
}

Monitoring and Alerting

1. Security Event Monitoring

<!-- SECURE: Security monitoring -->

function logSecurityEvent(event, details) {

  const logEntry = {

    timestamp: new Date().toISOString(),

    event: event,

    userId: details.userId,

    ip: details.ip,

    userAgent: details.userAgent,

    details: details

  };

  securityLogger.warn(logEntry);
}

2. Anomaly Detection

Monitor failed login attempts
Track unusual access patterns
Alert on privilege escalation
Monitor for credential stuffing

Compliance and Standards

1. Security Frameworks

OWASP Top 10: Web application security risks
NIST Cybersecurity Framework: Risk management
ISO 27001: Information security management
PCI DSS: Payment card industry standards

2. Best Practices

                    Regular component updates
Strong authentication policies
Multi-factor authentication
Continuous security monitoring

                

Career Development in Security Engineering

Next Steps:

Advanced Certifications: CISSP, CISM, CISA
Specialized Training: Security engineering, Risk management
Hands-on Practice: Security assessments, Penetration testing
Industry Networking: Security conferences, meetups
Research: New attack techniques, Defense methods

Resources: OWASP | NIST | Snyk

Task 2: Secure Component & Authentication Implementation

Objective:

Use OS³ Studio to implement secure component management and authentication practices.

Instructions:

Access the OS³ Studio secure implementation environment
Update all vulnerable components to latest versions
Implement strong password policies
Add rate limiting and account lockout
Configure secure session management
Implement multi-factor authentication
Test the secure implementation
Document the security improvements

Time: 45 minutes

Focus on implementing industry-standard security practices

Further Activity: Code Inspection

Advanced Students - Code Analysis:

For students with additional time, explore the source code to understand:

How component dependencies are managed
Authentication and session management implementation
Password hashing and storage mechanisms
Multi-factor authentication setup
Security monitoring and logging

Deliverable: Code review report with security recommendations

Session Summary

                    Key Takeaways:
                    Vulnerable components are a major security risk
Authentication failures can lead to account compromise
Regular component updates are essential
OS³ Studio provides hands-on vulnerability testing
Secure implementation requires multiple layers of protection
Career opportunities in security engineering are growing

                

Next Steps

Continue Learning:

Complete the OS³ Studio tasks
Explore additional security topics
Practice with security testing tools
Consider industry certifications
Join cybersecurity communities

Next Session: WEB-DATA-01 & WEB-LOG-01 - Data Exposure & Logging