Securing Java Web Applications Through Authentication

Your users' usernames and passwords are the keys to the kingdom. Watch and apply this course in order to approach authenticating and managing secure data in Java web applications with greater confidence.
Course info
Level
Intermediate
Updated
Sep 21, 2018
Duration
2h 21m
Table of contents
Course Overview
Introduction
Identifying and Mitigating Enumeration Vulnerabilities
Identifying and Mitigating Brute Force Vulnerabilities
Identifying and Mitigating Plaintext Vulnerabilities in Transit
Identifying and Mitigating Plaintext Vulnerabilities at Rest
Creating an Audit Trail for Security Events
Description
Course info
Level
Intermediate
Updated
Sep 21, 2018
Duration
2h 21m
Description

How long would your users' usernames and passwords survive an attack? In this course, Security Java Web Applications Using Authentication, you will gain the ability to detect and mitigate authentication vulnerabilities. First, you will detect enumeration vulnerabilities. Next, you will find brute force ones. Then, in plaintext. Finally, you will explore how to securely log in order to detect attacks at runtime. When you're finished with this course, you will have the Application Security skills and knowledge needed to securely authenticate users.

About the author
About the author

Like many software craftsmen, Josh eats, sleeps, and dreams in code. He codes for fun, and his kids code for fun! Right now, Josh works as a full-time committer on Spring Security and loves every minute.

More from the author
Micro-experimentation Tools in Java 9
Intermediate
1h 57m
Nov 1, 2017
Securing Java Web Applications
Intermediate
2h 25m
Jul 31, 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Josh Cummings, and welcome to my course, Securing Java Web Applications Using Authentication. I'm a full-time Springs Security committer over at Pivotal, and I love talking about application security. Just recently, WordPress experienced its largest distributed online bruteforce attack on record at 135, 000 WordPress sites. The attack clocked in at 196, 000 attempted logins per second. How do you think your app would hold up to that kind of on slot. In this course, we're going to talk about it. We'll talk about bruteforce, enumeration, plain text attacks, and more. Some of the major topics that we'll cover include why you need to do more than just be ambiguous with your error messaging, how to inform a user that their account is locked out without also letting the hackers know, the nooks and crannies where plaintext passwords like to lurk in your application, and why most password strength requirements give a false sense of security and what to do about it. By the end of this course, you'll know how to keep your user account details secure and how to listen for problems with them down the road. You'll understand that secure login is a lot more than just HTTPS. Before beginning the course, you should be familiar with Java Servlets at the very least. However, a knowledge of Gradle, Selenium, Mockito, Spring Boot, and Spring Security will also be helpful, especially if you're following along with the demos in your IDE. You might also get some benefit by starting with Securing Java Web Applications, my first course in the series, though, this course does not assume that you've already taken that. I hope you'll join me on this journey to learn application security with the securing Java Web Applications Using Authentication course, at Pluralsight.

Introduction
Hey, here's a fun app, and while it's not definitive, it does teach a good principle. The app is howsecureismypassword. net. If I type in a password like say password, then the app gives me a grade. It turns out that the password, password, isn't all that clever, in fact, it's so unclever that it would be cracked by hackers instantly, being one of the first five passwords that a hacker may try against my account. The app also gives other warnings like that it's a word and that the password, by today's standards, is way too short. Now a lot over the years has been said about passphrases and you can see that the password gets stronger as I add random words that come to my brain as I type. Indeed, a password's length is easily the strongest predictor of a password strength. Just for fun, here's an old password of mine that I'm no longer using. It's a passphrase that includes spaces, letters, and numbers. How secure is your password? Now as a software engineer, we're charged with keeping passwords and other very important and powerful information secure. It's within our charge to train and incentivize users to make secure decisions and to make secure decisions ourselves. So to peek your interest a bit, let me tell you a story about an ill-fitted company whose password policies were bad enough that when they got hacked, security researchers were able to crack 11. 6 million user passwords in just 10 days.

Identifying and Mitigating Enumeration Vulnerabilities
In the introduction, we picked on Ashley Madison a bit for a password storage vulnerability and we're going to pick on them just one more time for what is called an enumeration vulnerability. Thanks to Troy Hunt for pointing this one out to me. But first, to get your mind thinking about enumeration, let's start with a question. If you find yourself on a forgot password page and you mistype your email address in the form, what experience would you expect when you press the Submit button. Would you expect a helpful error letting you know to correct your email address? If you said yes, then your forgot password flow might look very similar to the broken one on Ashley Madison's website because that is exactly what they did. This seems pretty reasonable from a usability standpoint, but it presents a security problem.

Identifying and Mitigating Brute Force Vulnerabilities
Now enumeration may have been new to you, but I'm certain that bruteforce isn't. Where enumeration is listening to the pins drop in a door lock, bruteforce is pounding at the door with a sledgehammer. My 3-year-old boy is very persistent. Anyone who has been around children at this age for long enough will know what I mean when I say that he uses the word please like a battering ram. When he wants something, his perpetual please pounding is relentless reasoning that he's wearing his parents down to the point of capitulation. And I'm ashamed to report that he has at times been successful with this strategy. This same scenario is played out on the internet every day against our production systems whenever an attacker attempts to bruteforce guess his way in. Just 6 weeks ago at the time of this writing, WordPress recorded its largest scale distributed bruteforce attack with 190, 000 WordPress sites being attacked per hour, 235, 000 password guesses attempted per second. Brute force authentication attacks are repeated attempts to break into a secured area simply by trying as many username/password combinations as are conjurable by the malicious actor. They're successful for the fundamental reason that so many passwords are quite guessable. What can we do in the mist of our users selecting weak passwords?

Identifying and Mitigating Plaintext Vulnerabilities in Transit
I've heard people say that they have nothing to hide, but I think that these people might not be thinking about their passwords when they say this. Your passwords are literally the keys to the kingdom. So I was SSH-ing into one of our systems at work the other day, and every once in a while, my muscle memory will go faster than the password prompt, and so I start typing in my password before the password mask kicks in. It makes the first couple of characters visible on the screen before the password prompt shows. And I don't know about you, but there is something frightening about seeing my password in plain text even if it's only for the first couple of characters. It's one of those moments where you mildly panic, you clear the screen, you look at your coworkers suspiciously, you wash your hands, you sacrifice your turtle dove, and then you go and change your password anyway, maybe twice just to be sure.

Identifying and Mitigating Plaintext Vulnerabilities at Rest
Imagine you're trying to guess someone's password, but you have only the first few letters. How many guesses do you think that it would take you? Here on the screen, you'll see a password appear character by character. Go ahead and shout it out when you think you know what the password is. Okay, first one. This is an 8-character password, 1-2-3-4-5-6-7-8. You probably guessed the entire password long before I gave you all the characters, right. Let's try another one. This is, again, an 8-letter password, P-A-S-S-W-O-R-D. Again, maybe you guessed the entire password after only seeing a few letters. How about this one, 2bornot2b. Maybe that took a bit longer, and if you didn't get this one, maybe it's because your high school English teacher didn't have you read Hamlet like mine did.