I manage a website which uses Firebase Authentication with email and password to login.
I want to do some brute force attack protection. However it is not important for me which exact mechanism is used. However it's important that is it easy to implement and maintain. Also our users are not especially tech savy, so I am trying to avoid 2FA.
It could for example be a mechanism which forced the user to verify their email after three failed login attempts.
Therefore I was hoping to find some help in the docs. However I could not find any easy to use built in mechanism. Most answers mention that you could contact support if you see mysterious traffic. There is also specific advise for specific kinds of attacks.
Can anybody provide an example to a simple, effective, and easy to implement mechanism guarding against brute force attacks?
Related
I'm writing a web app that is very tied to a different app (Twitch), so my plan is to only offer logging in through them. I'm trying to come up with an auth scheme for my app, and am thinking about implementing it by just packaging up the OAuth2 creds I get from Twitch, and setting that as a JWT cookie. See diagram of auth design
I'm having a hard time finding another example of someone doing or suggesting this, so I get the feeling I'm missing some reason why this is a bad idea, but I can't figure out why. The cookie is a JWT so it's signed, and since the tokens are all from Twitch they can be revoked on their end if necessary. And since all the Twitch creds I need are in a cookie, I don't need to store any access tokens in my DB.
So am I missing something that makes this a bad idea, or is this a secure enough solution to use?
This is a really interesting question. Sadly the answer to this is "it depends", based on the risk / reward to your app and business. Let me try to clarify that to help.
Let's assume that in your system authentication is core to the service. So essentially if your users cannot authenticate then they are not able to access the system.
Using a third party to provide authentication has many pro's and con's. Obviously the pro's are around not having to manage credentials, password resets, attempted attacks on the credentials etc. Also, there are advantages to the customer of not having another set of credentials to manage.
The con's largely are around the dependancy on the third party, if Twitch goes down then no-one can use your system. (This might be true anyway, based on your description).
Essentially, what I recommend is that you weigh up the pro's and con's in your environment. Assuming that the pro's outweigh the con's then using OAuth2 is a great way of authenticating.
While I don't have an example to hand of a website using only 3rd party auth I do believe the industry is getting there. Many sites have 3rd party auth at the top of their sign in options showing a preference over creating a new set of credentials. You don't have to look much further than StackOverflow that has the following order:
Google
GitHub
Facebook
StackOverflow account
I have to admit I don't know much about security and security patterns. I am developing a firebase function that accepts a license code and returns false if the license code is not valid.
I am afraid that a hacker could brute force the function and find out all possible license codes. How can I make this function more secure? E.g. by implementing a quota for maximum calls per hour. The same principle is used for firebase auth see here
I checked the documentation for firebase function quotas and couldn't find any setting that allows configuring such a quota on an IP-based level.
How can I secure my function against brute force attacks?
You can certainly try to put a rate limit on the function, but that would affect everyone, and would shut out legitimate users. There is not actually anything you can do from an Google Cloud infrastructure perspective to increase the security of API endpoints that you expose to the public for anonymous use.
What you should do instead is make your data more secure. The best way to do this is to eliminate any sense of pattern with respect to the data your function accepts. This means that your license codes should be effectively unguessable by making them long and random enough such that it makes a brute force attack virtually impossible to guess any code. Sequential or non-random values are much easier to guess, especially if they follow an easily discernible pattern.
If you think that your project is subject to abusive behavior, that's something you should report to Google Cloud support, for them to investigate.
I have two asp.net projects at the different domains. These projects use one database.
Let say www.test1.com and www.test2.com. (Late will be more projects)
I already have registration form and registered users.
Now I need to implement SSO possibility without registration at the external sites (google, openId, facebook).
All implementation which I have found required external registration (CAS, Federation, Facebook, openId).
Also I have read this article http://www.codeproject.com/KB/aspnet/CrossDomainSSOExample.aspx, but as far as I understood from comments such solution very insecure.
Please suggest solution or existed library which can help me to use SSO without external registration.
I needed the exact same solution for a client I was working for, I did the research and the only good solutions that I found where either too complex and not well documented or too expensive (I forgot which companies I looked into). So I decided to build a custom solution.
This is a short summary of the solution implemented:
In order to make things more clear let's call "nodes" the domains where you wanted to authenticate a user, and "SSO" the provider of the authentication.
I used a solution that is similar to the one in the link you posted HOWEVER I used the Asp.Net security cookie whenever I wanted to authenticate a node, and also to authenticate the SSO website:
HttpCookie formsCookie = FormsAuthentication.GetAuthCookie(userName, false, HttpRuntime.AppDomainAppVirtualPath);
HttpContext.Current.Response.Cookies.Add(formsCookie);
This also allowed me to not have to query back the SSO provider for each web request as the example you posted seem to do.
I used a new AuthenticationKey for each time I wanted to communicate from the SSO provider back to the node that the authentication was successfull.
Also I added some security features like encrypted communication and that the key could only be valid a max of 2 seconds (the time for the SSO to pass it to the node) and as soon as it was used it would be deleted.
I believe this solution is safe enough, however using an external ready made solution is surely safer.
It took me only a few days to implement the whole solution, so it's not too long of a task. However I cannot share the project as I am not sure the client would agree.
I hope those suggestions might help you.
Let us know what you decide to do in the end.
I would like to create a secure login page for a pre-defined set of users (so no creating username/passwords by the users themselves). I've looked up a few sites and they all seem to suggest using Microsoft's Membership or something. I am not very sure as to why that's used, but all you need to know is that I will be creating the login details. I just need to make the login secure, ie, no duplicate logins, no logins from different browsers and cookies and sessions and encryption and all that. Any one have the code/links to where I can get all this? Thanks in advance.
You have a couple of options here.
Case 1 :
Role your own security but bear in mind you will oversee something. Security isn't easy and its sooo easy to overlook something. Hashing , salting , encryption etc...
Case 2:
If its a simple site just use Microsoft memberschipprovider. It is good and they spend 3 years tweaking / patching it. You can also override the memberschipServiceprovider to implement some additional security. or to tell the memberschipprovider what data should be used.
Optional:
Extend your ISS server with this open-source firewall : http://www.aqtronix.com/?PageID=99
It provides some cool features for "free"(If you have access to install it).
The best security is when you find the balance between secure and accessible vs Top-security and inaccessible.
And to answer the link part of your question:
http://www.owasp.org/index.php/Main_Page
If you want more information on microsofts' memberschipprovider :
Google :) or Bing or yahooooo!
Goodluck
I'm looking for the best reusable libraries and inbuilt features in ASP.Net to prevent the OWASP top 10 security vulnerabilities like injection, XSS, CSRF etc., and also easy to use tools for detecting these vulnerabilities for use by the testing team.
When do you think is the best time to start incorporating the security coding into the application during the development life cycle?
My two cents:
Never ever trust user input. This include forms, cookies, parameters, requests...
Keep your libraries updated. Everyday security flaws arise among us. Patches are released, but they are worthless if you don't apply them / upgrade your libraries.
Be restrictive and paranoid. If you need the user to write his name, be restrictive and let him only use [A-z] characters and so on. Strong constraints will annoy the average user, but it will make your system more secure.
Never log critical data. This means that you should not log things such as what password a user used (obvious) but also you should not be tempted to log what password did a user typed when he failed to log in into the system (because he may had a typo easy to guess). You can extend this example to all critical data. Remember, if it's not there, you don't have to worry about someone trying to get it.
And extracted from wikipedia's CSFR article:
Requiring authentication in GET and POST parameters, not only cookies;
Checking the HTTP Referer header;
Ensuring there's no crossdomain.xml file granting unintended access to
Flash movies[14]
Limiting the lifetime of authentication cookies
When processing a POST, disregard URL parameters if you know they should
come from a form
Requiring a secret, user-specific token in all form submissions and
side-effect URLs prevents CSRF; the
attacker's site can't put the right
token in its submissions
My experience is that just giving the developers a toolbox and hoping for the best doesn't actually work all that well. Security is an aspect of code quality. Security issues are bugs. Like all bugs, even developers that know better will end up writing them anyway. The only way to solve that is to have a process in place to catch the bugs.
Think about what sort of security process you need. Automated testing only? Code review? Manual black-box testing? Design document review? How will you classify security issues in your bug tracking system? How will you determine priority to fix security bugs? What sort of guarantees will you be able to give to customers?
Something that may help you get started is the OWASP ASVS verification standard, which helps you verify that your security verification process actually works: http://code.google.com/p/owasp-asvs/wiki/ASVS
First best practice: Be aware of the vulnerabilities while coding. If you code think about what your are doing.