2017 OWASP Top 10: Broken Authentication
Рет қаралды 132,656
6 жыл бұрынNew 2021 OWASP Lightboard Series:
• 2021 OWASP Top Ten
Video 2/10 on the 2017 OWASP Top Ten Security Risks.
John Wagnon discusses the details of the #2 vulnerability listed in this year's OWASP Top 10 Security Risks: Broken Authentication. Learn about this security risk and how to guard against it.
community.f5.com/articles/lig...
@Wayne_Robinson 4 жыл бұрын
Having a shirt with a mirrored logo so it looks correct after processing the video is great attention to detail! As a side benefit, it might be entertaining to see how many people notice when wearing the shirt in public.
@TheSnehaShetti 3 жыл бұрын
I noticed that too , to be honest. I like it
@TheTechZLife 3 жыл бұрын
just for that detail alone this dude gained my sub
@Sam-rp4hy 3 жыл бұрын
So, credential stuffing is like a dictionary attack and automated attack is more of a brute force.
@charanpreet2211 3 жыл бұрын
I think credential Stuffing is like brute force using rainbow tables (hashes stolen from previous breaches) and automated attack is like password cracking or password guessing attack /dictionary attack
@anselmleo4146 3 жыл бұрын
Thanks for the amazing breakdown @F5 DevCentral. I was wondering where token authentications like jwt and passport come into play?
@ELEchico 2 жыл бұрын
Thank you for the quick and straightforward explanations :)
@devcentral 2 жыл бұрын
Glad you enjoyed it!
@thifranzini 5 жыл бұрын
Congrats for this video! It helped me a lot!
@devcentral 5 жыл бұрын
i'm glad you enjoyed it!
@chethangopalakrishna4264 5 жыл бұрын
Useful information. Thank you.
@ricardoblikman2676 2 жыл бұрын
This is a hard one, it is extremely difficult to stop multiple username password attack on microservices in parallel from multiple addresses.
@zer0day463 2 жыл бұрын
Great Explanation
@devcentral 2 жыл бұрын
Glad you enjoyed it!
@marianocalzada6472 2 жыл бұрын
amazing video!
@devcentral 2 жыл бұрын
Glad you enjoyed it!
@pankajgawai6944 5 ай бұрын
great sir
@staynjohnson4221 4 жыл бұрын
8:41 if initial sessionID is thrown away and the server creates a brand new session id(that is not sent to the browser i suppose?) to interact with the client, how would the server now verify the client ?
@AyushSharma-bn2js 4 жыл бұрын
I have the same doubt !! I guess the session id is shared with Browser or else it would not make sense 😅
@pragyapranshu4976 3 жыл бұрын
I believe once a session has been closed, you need to wait for some time and reenter credentials again. Best example - Logging on to banking websites
@tiyasghoshroy9577 2 жыл бұрын
A random session id is generated by the server (preferably one which is complex and random enough so that it is impossible to generate a valid one by luck) and sent to the browser. This random session id should only be valid for a certain duration and definitely be invalidated on logout and idleness. For further reference: codeahoy.com/2016/04/13/generating-session-ids/
@fahimuel 6 жыл бұрын
Would have been better, if John would suggest how F5 Web Application Firewall or any other F5 products protects from broken authentication problem or any other OWASP top 10 issues.
@devcentral 6 жыл бұрын
thanks for the comment, fahimuel! We will be releasing videos very soon that show exactly what you mentioned...how the F5 ASM can guard against these attacks. Stay tuned!
@joshwaphilip9840 5 жыл бұрын
Web application firewall is one of secondary preventing method. but basically industry using some of primary methods. it's like Password complexity, length, username/password enumeration and protect from brute force login
@davisli 5 жыл бұрын
@@devcentral if failed login locks is one of the possible protection mechanism then i suppose an attacker who wants to deny users from accessing their services would succeed. Is there a way F5 WAF can prevent distributed brute Force login attacks without locking legitimate users out? Maybe by geolocation or the usual device IDs of a legitimate user?
@devcentral 5 жыл бұрын
@@davisli great question! The Advanced WAF has functionality that protects against this type of behavior by using device ID fingerprinting and IP reputation along with other features like Datasafe. Here are a couple of videos that might help... Datasafe: kzfaq.info/get/bejne/sN-jZN1i1cuom6s.html Credential Protection: kzfaq.info/get/bejne/j5aWg9OUlb-sl2Q.html F5 Advanced WAF: kzfaq.info/get/bejne/fqiSd65zu5q1h2Q.html Hope this helps!
@zserfv1001 3 жыл бұрын
Very helpful for me
@devcentral 3 жыл бұрын
glad you enjoyed it!
@yogeshwarans7781 2 жыл бұрын
sir what purpose using session id
@domaincontroller 3 жыл бұрын
05:31 best practices
@Felix-og7pd Жыл бұрын
how to solve? credential stuffing automated attacks top 10000 passwords how to break? multifactor auth password check (that not top 10000) password complexity firewall
@Eric-nm7ff 3 жыл бұрын
Stopped watching at "password complexity" being suggested as a solution to any problem.
@thewatcherlollol 3 жыл бұрын
ok buddy
@DrThrax009 3 жыл бұрын
But why? This is one of the basic and cost effective controls. Dont you think?
@dmaiyo5927 Жыл бұрын
How are you writing in reverse?
@devcentral Жыл бұрын
Thanks for the comment and a common question we get! This is how: kzfaq.info/get/bejne/i511kq9l3Km0hJc.html
Tips Workshop
Рет қаралды 37 МЛН
Oscar's Funny World
Рет қаралды 132 МЛН
Alisher Beisebai
Рет қаралды 705 М.
Photographer Army
Рет қаралды 763 М.