When you are authenticating clients to a wireless network, two processes are available. The first, known as open system authentication, is used in situations where you want to make your network available to a wide range of clients. This type of authentication occurs when an authentication frame is sent from a client to an access … Read more
Security Accounts Manager (SAM) Inside the Windows operating system is a database that stores security principals (accounts or any entity that can be authenticated). In the Microsoft world, these principals can be stored locally in a database known as the Security Accounts Manager (SAM). Credentials, passwords, and other account information are stored in this database; … Read more
Even a well-designed authentication mechanism may be highly insecure due to mistakes made in its implementation. These mistakes may lead to information leakage, complete login bypassing, or a weakening of the overall security of the mechanism as designed. Implementation flaws tend to be more subtle and harder to detect than design defects such as poor … Read more
Applications often implement “remember me” functions as a convenience to users, to prevent them needing to reenter their username and password each time they use the application from a specific computer. These functions are often insecure by design and leave the user exposed to attack both locally and by users on other computers: ■ Some … Read more
Surprisingly, many web applications do not provide any way for users to change their password. However, this functionality is necessary for a well designed authentication mechanism for two reasons: ■ Periodic enforced password change mitigates the threat of password compromise by reducing the window in which a given password can be targeted in a guessing … Read more
In addition to the core communications protocol used to send messages between client and server, web applications employ numerous different technologies to deliver their functionality. Any reasonably functional application may employ dozens of distinct technologies within its server and client components. Before you can mount a serious attack against a web application, you need a … Read more
A central security requirement that virtually any application needs to meet is to control users’ access to its data and functionality. In a typical situation, there are several different categories of user; for example, anonymous users, ordinary authenticated users, and administrative users. Further, in many situations different users are permitted to access a different set … Read more