Professional Documents
Culture Documents
Web Auth Zine
Web Auth Zine
B. E.FIT !
'
E. ④ TINI.EE ! E. TEE It
.EE#EEE.MeOoH..t.f.AggGFt
④ TIMI B. III. Ei
'
E. ⑧
. FEE,
T/ heAndirearesaomndyonotfundemstand
anmte.tw#/webAuthN/Auth2
I ?"
r .
2 .
O.amztEM.ms:9
e. ? ?
' w'
II sessions
OAuth -77
tokenbase
; ÷gio÷
"
¥
.
:÷÷ : :
A I know a few methods .
%¥ai¥sec pig!
'
page -10
tf y
session based
^sez I know
¥
L
-_
Iniesta:D
T
.
[
Ipmagpteifiotpgcode [
de pastsword page -17 based
Authorization grant flow
dffontwabpage.tt
-15
page Client
HTTP BASIC AUTHENTICATION
o
④¥maBoa am:÷ , nta¥÷f÷MBBT
"
l page
with l
Sends
a
blank Authenticate 1
www
-
A 1 & header
.
< 401
Stares
=
I
\
Browser notices the pretense of
www -
Auth Header & present popup
I
§Bananarama
f q ? B w f p ↳M to & password
.
enter username
I
1 username
1#
1
password T tone I
namei I
BE .VE#gsgBTg , I
head
Realest
!÷!÷a÷;og%µ
send it in Authorization
,
& validates Username
password
|
21 .
match
,
/ credentials
If in
html
I
I ,
mom
contacts
.
you get
FEE.mg Response
.
I -1
Browser will Remember
subsequent Request
| credentials and will pass on •
g
m WiIK
man
j.jgo.se
f.B.mg -
ro
HTTP BASIC AUTH
text .
* Use HTTPS
heater
.io?:o
A
E.jasa%ec.ro
'
linked with piece of state in server
USER login is
{"
¥mzaaaaaom; I#
pose
keyF.
"
.no:7?::o: : :'.rytqmgggoes
Yasser
-1
server
-
+
vglsiedates
¥
credentials POST
""
User submit over
l
Credentials
l x
^
I sends browser I Eoi5mEEE
acooki e l h at w i u i d ent . l y ?EF9i : E nf U ure RequTest
and
user
identifies .
Server
< ↳ At this point
I * gientseisnewrgge.in
Is;gimooor
If
Server stores
&
kY¥?q.az E #Fhaokham ha I
BABBS
Ban:3::S.EE?a:kis:sseguent
Requests ( this ice called
.
session Cookie) -
I
v
html
I
GET Contacts
server Validates
.
→ the session
/ sends cookies as well
/
g
information
/ from Cookie 10
/
[ Contacts html .
v
Session info from
IT
or DB
memory
.
logout html .
Invalidate
200
status
=
session token
M¥
"
Hta
" .EE/iEqahhaaHithaaBl#ntaas.n/
I
-7 The existing .EE .
stakes -_
403 I has been
Eai¥
go.se -
ro
-
used with
> RESTful APIs
> single Page Apps
> Micro services
to server token
* Request carry a
mmmm
{ditoisgreoon.ie }
How token
? session
q
-
furman
2
÷÷i¥÷÷÷¥⇐÷¥ A
.
wai¥
go.se -
ro
token Base, Sign µ .az#ima i a oh a hi a
-
in via ?¥E .
{"
EETB
" " "
Jon
i MzIEf.
username : ,
.am
pose "
y ÷
" " "
password Foo Bar
sueariueates
↳
:
-
t
g
-
ill
User
POST
/
User submit credentials over credentials
1
^
I sends browser , #IoiTmEEE
a#essforUser÷÷q.
and
user
identifies
Server
< token # that will
At this point
/ a glnieentseisuewggentin *
!
l
Th is optional !
local browser
÷ Server
/ l
storage well
sends Token as
decodes the
1
| Contacts html .
y
✓
/
token 21
validate Sign
(if presents
logout html
4#
.
Ask client
theists:S::b:
fear: snatsiitmyas.io
"
status
-_ 200 to clear token
clear token /
I
data ?ogiE.•a ¥rmouzgh¥ing
" ear
EE.ie#qq , taAh
403
stakes -_
No
present
token
#
.
token
As key Concept is tokens are stateless
it
* server should signees ,
so
may -
tokens
A- Signature prevents
from tampering
.gjn÷im?tYhp: areio&pgB.?k.T. @
-
woo
.sim£wWI
"
Sec ,
y
/¥%"tyAssertionmarkupLangu
SAML
?
m ¥moa am.÷ ;! fine' s
'
:3?
'
-1 em:*
'
A Needlesstosay.mg
mmmwY
By
gwt is
really
I
Important ,
was
s
-
'¥
"
G¥tmw
ggps.whyn
t
EnnBs¥sec -
ro A
I
Jew!NL¥*¥hµ¥EB¥KENS
g-
perigynous
Token 2
Generate Generate
username token
Password
µ
Json Web Token .
z
y
Response .
secret
key .
5
contained Contains the data
A Self
:
key .
qq.mg?jagB;.sec-r0
"
I
JghMFONBE.fi#EB*KENS
g-
perigynous
;
'
PPPPPPPP SSSSSSSSS
AHHHH HH . .
i
t- -- - - -
signature
-
:b
Header
HMACSHA 256 ( Header -1
Base Encode a) 1. It
6
Payload ,
::::÷:::÷÷÷÷÷÷÷:
a
at
}
/ Payload
server
Hashing Algorithm
used for signature Base Encode ( data )
Public
4
{
"
" "
DATA
AKA # wohwichaawea.fnaen.de#Eecita:yr
IIe claims
"
" id : 'doe
as
user
- ↳ types
"
email "
:
"
john@doee.com J "
"
exp
"
:
"
1234567890
"
Name without
↳ ←
anyone
meaning
except token
producer
to
I
. .
→
IT Sub
JTI
IAT ISS Exp JWT token Identifier
issued at Issuer
subject
Token
expiry #me
eyqm.org?jaogB;s.sec-r0
÷ j÷am÷
This too much
.
÷ was
of knowledge ! !
Agreed ,
take a
µ
break ,
refresh 21 ""
easy .
H
"
in,
Don't worry
11
¥
""
I
will make it Easy ,
/)
'
Jai¥sec -
ro
Otremba ftp.admmaa .am
.
PEN
THAT operation
III:::::::%a% : .no
i÷ sn|÷ ÷
; to
you are
asking me
open !!!
11 whatth
Don't confused by
name
get
! ⇐oE -
µ
"
protocol for
Authorization "
/)
qq.a.mg?agqq;s.sec-r0
"
It allows the users to share
their
private resources
4pd .
MB .ME?EfBfLBi.hI#.@ghead servery↳
Resource seiner
aienta .
An:P!
rated
resource
-
Actual protected
.
ways
T)
User
↳ Authorization Code Grant
§
owner of Credential
credentials
Grant
Resource owner
.E¥⑧B zaifM
-
Request Token
APP
%¥÷t¥
client
check 't
l Vista: eat
③ ②
sfFhIB Why
>
not
take
t|
zpass word
.
my username
Scantest ④
⇐
+
⑤#Aa# give my
I Consent
Yes Please ,
Hardin
⑥ a ⑧
A Hey App "
µ@n*¥
authorized Access for you
.
User .
and
take this authzcode
.
V gamey Take
this
token and
⑨ regime
.im?EE..oOada.m get :c::*
. .
Bearer
with client App
Token
^
✓
⑦ Response before
I
* At step
.
②
aime: are:* .
+ are validated
Rest ega.gg?janBzsec-rO
"
-
Implicit Grant
④
..com/tokenMBaM9Eqaaaaag
http://auth server
E.aBBaoi6B
-
Request Token
APP
n¥÷t¥
client
check 't
l vistnnsocwenat
③ ②
fFhIB 'int Why
7
not
take
t|
password
.
my username a
scanted ④
re
+
I give my Consent
⑤ Yes Please ,
that
µ Hey APP
for you
authorized Access
.
User .
Token and
take this
.
Resource
use this access
⑦ rearming
.tk:697#.OOado. yruisosmuemnded
with
Bearer
client App
Hei
; is:c:
Token
^
V
⑧ Response .
t
rest qq.a.az?g.!a.gBsec-r0
'
'
Client credentials Grant
its
* used when client is acting on
client is resource
own behalf ( when
server)
*onsener
I
)
It
÷÷÷:
peed token Handml¥
yoked Access
Give
me
②
①
Take
this
token and
Rea
q .my?E E .magni
f#i.:@ fic set
:c:::
a
.
wins
Bearer
Token
③ client App
^
V
response .
⑨
+
Ef⇐⑧BBzai6M
-
Request Token
±→→*%u
③
l
②
check if
Vista: eat
my username a
It
"
¥ ⑨ tandem
11
-
Access
Token
with optional
y Refresh token
wimrsearer ⑤
Reg
.EKi#m. Omyaz.ada.mi
Token client App
^
V
⑥ Response .
+
rest qq.at?JBzsec-r0
'
'
o÷m÷÷÷9i No problem !
take your time to
"
-
absorbed
1
Also there will be another
,
Line
Just
covering
OAuth
in detail
-
I hope you enjoyed !
.
p ¥for eqso.se
m.o .ae?jaq
"
-
-
ro
a
"
christina
eyqoaq.ae?jaqtheIAM Ninja
that
" • "
Thanks
HE
Read more Zines
@
securityzines.com