Minor changes for threat model chapter.

This commit is contained in:
Stan Silvert 2016-06-07 15:02:18 -04:00
parent 4e0351ed16
commit e55100f03c
8 changed files with 14 additions and 15 deletions

View file

@ -13,13 +13,13 @@ image:../../{{book.images}}/brute-force.png[]
The way this works is that if there are `Max Login Failures` during a period of `Failure Reset Time`, The way this works is that if there are `Max Login Failures` during a period of `Failure Reset Time`,
the account is temporarily disabled for the `Wait Increment` multiplied by the number of failures over the max. After the account is temporarily disabled for the `Wait Increment` multiplied by the number of failures over the max. After
`Failure Reset Time` is reached all failures are wiped clean. The `Max Wait` is the maximum amount of time `Failure Reset Time` is reached all failures are wiped clean. The `Max Wait` is the maximum amount of time
an account can be disabled for. Another preventive measure is that if there is subsequent login failures for one an account can be disabled. Another preventive measure is that if there are subsequent login failures for one
account that are too quick for a human to initiate the account will be disabled then. This is controlled by the account that are too quick for a human to initiate the account will be disabled. This is controlled by the
`Quick Login Check Milli Seconds` value. So, if there are two login failures for the same account within that value, `Quick Login Check Milli Seconds` value. So, if there are two login failures for the same account within that value,
the account will be disabled for `Minimum Quick Login Wait`. the account will be disabled for `Minimum Quick Login Wait`.
The downside of {{book.project.name}} brute force detection is that the server becomes vulnerable to denial of service attacks. The downside of {{book.project.name}} brute force detection is that the server becomes vulnerable to denial of service attacks.
An attacker can simply try to guess passwords for as many accounts it knows and these account will be disabled. Eventually An attacker can simply try to guess passwords for any accounts it knows and these account will be disabled.
Eventually we will expand this functionality to take client IP address into account when deciding whether to block a user. Eventually we will expand this functionality to take client IP address into account when deciding whether to block a user.
A better option might be a tool like http://fail2ban.org[Fail2Ban]. You can point this service at the {{book.project.name}} server's log file. A better option might be a tool like http://fail2ban.org[Fail2Ban]. You can point this service at the {{book.project.name}} server's log file.
@ -28,7 +28,7 @@ firewalls after it detects an attack to block connections from specific IP addre
==== Password Policies ==== Password Policies
Another things you should do to prevent password guess is to have a complex enough password policy to ensure that Another thing you should do to prevent password guess is to have a complex enough password policy to ensure that
users pick hard to guess passwords. See the <<fake/../../authentication/password-policies.adoc#_password-policies, Password Policies>> chapter for more details. users pick hard to guess passwords. See the <<fake/../../authentication/password-policies.adoc#_password-policies, Password Policies>> chapter for more details.
The best way to prevent password guessing though is to set up the server to use a one-time-password (OTP). The best way to prevent password guessing though is to set up the server to use a one-time-password (OTP).

View file

@ -6,10 +6,9 @@ buttons that are carefully constructed to be placed directly under important but
When a user clicks a visible button, they are actually clicking a button (such as a "login" button) on the hidden page. When a user clicks a visible button, they are actually clicking a button (such as a "login" button) on the hidden page.
An attacker can steal a user's authentication credentials and access their resources. An attacker can steal a user's authentication credentials and access their resources.
By default, every response by {{book.project.name}} sets some specific browser headers that can prevent this from happening By default, every response by {{book.project.name}} sets some specific browser headers that can prevent this from happening.
specifically http://tools.ietf.org/html/rfc7034[X-FRAME_OPTIONS] and http://www.w3.org/TR/CSP/[Content-Security-Policy]. Specifically, it sets http://tools.ietf.org/html/rfc7034[X-FRAME_OPTIONS] and http://www.w3.org/TR/CSP/[Content-Security-Policy].
You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control.
with these headers.
In the admin console you can specify the values these headers will have. Go to the `Realm Settings` left menu item and In the admin console you can specify the values these headers will have. Go to the `Realm Settings` left menu item and
click the `Security Defenses` tab and make sure you are on the `Headers` sub-tab. click the `Security Defenses` tab and make sure you are on the `Headers` sub-tab.

View file

@ -1,7 +1,7 @@
=== Compromised Access Codes === Compromised Access Codes
For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows, OIDC Auth Code Flow>>, t would be very hard for an attacker to compromise {{book.project.name}} access codes. For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows, OIDC Auth Code Flow>>, it would be very hard for an attacker to compromise {{book.project.name}} access codes.
{{book.project.name}} generates a cryptographically strong random value for its access codes so it would be very hard to guess an access token. {{book.project.name}} generates a cryptographically strong random value for its access codes so it would be very hard to guess an access token.
An access code can only be used once to obtain an access token. An access code can only be used once to obtain an access token.
In the admin console you can specify how long an access token is valid for on the <<fake/../../sessions/timeouts.adoc#_timeouts, timeouts page>>. In the admin console you can specify how long an access token is valid for on the <<fake/../../sessions/timeouts.adoc#_timeouts, timeouts page>>.

View file

@ -1,7 +1,7 @@
=== Compromised Access and Refresh tokens === Compromised Access and Refresh tokens
There's a few things you can do to mitigate access tokens and refresh tokens from being stolen. There are a few things you can do to mitigate access tokens and refresh tokens from being stolen.
The most important thing is to enforce SSL/HTTPS communication between {{book.project.name}} and its clients and applications. The most important thing is to enforce SSL/HTTPS communication between {{book.project.name}} and its clients and applications.
This might seem like a no-brainer, but since {{book.project.name}} does not have SSL enabled by default, many naive admins This might seem like a no-brainer, but since {{book.project.name}} does not have SSL enabled by default, many naive admins
might not realize they have to do this. might not realize they have to do this.

View file

@ -2,10 +2,10 @@
=== CSRF Attacks === CSRF Attacks
Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the
web site trusts or has authenticated with(e.g., via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable for these types of attacks. web site trusts or has authenticated with(e.g., via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable to these types of attacks.
These attacks are mitigated by matching a state cookie against a posted form or query parameter. These attacks are mitigated by matching a state cookie against a posted form or query parameter.
OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter. The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter.
{{book.project.name}} fully implements this part of the specification so all logins are protected. {{book.project.name}} fully implements this part of the specification so all logins are protected.
The {{book.project.name}} Admin Console is a pure JavaScript/HTML5 application that makes REST calls to the backend {{book.project.name}} admin REST API. The {{book.project.name}} Admin Console is a pure JavaScript/HTML5 application that makes REST calls to the backend {{book.project.name}} admin REST API.

View file

@ -4,6 +4,6 @@
For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows,Authorization Code Flow>>, if you register redirect URIs that For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows,Authorization Code Flow>>, if you register redirect URIs that
are too general, then it would be possible for a rogue client to impersonate a different client that has a broader scope are too general, then it would be possible for a rogue client to impersonate a different client that has a broader scope
of access. This could happen for instance if two clients live under the same domain. So, its a good idea to make your of access. This could happen for instance if two clients live under the same domain. So, it's a good idea to make your
registered redirect URIs as specific as feasible. registered redirect URIs as specific as feasible.

View file

@ -1,7 +1,7 @@
=== Limiting Scope === Limiting Scope
By default, each new client applications has an unlimited scope. This means that every access token that is created By default, each new client application has an unlimited scope. This means that every access token that is created
for that client will contain all the permissions the user has. If the client gets compromised and the access token for that client will contain all the permissions the user has. If the client gets compromised and the access token
is leaked, then each system that the user has permission to access is now also compromised. It is highly suggested is leaked, then each system that the user has permission to access is now also compromised. It is highly suggested
that you limit the roles an access token is assigned by using the <<fake/../../roles/client-scope.adoc#_client_scope, Scope menu>> for each client. that you limit the roles an access token is assigned by using the <<fake/../../roles/client-scope.adoc#_client_scope, Scope menu>> for each client.

View file

@ -8,7 +8,7 @@ Once they have an access token they can do any operation that the token has been
{{book.project.name}} has <<fake/../../realms/ssl.adoc#_ssl_modes,three modes for SSL/HTTPS>>. {{book.project.name}} has <<fake/../../realms/ssl.adoc#_ssl_modes,three modes for SSL/HTTPS>>.
SSL can be hard to set up, so out of the box, {{book.project.name}} allows non-HTTPS communication over private IP addresses like SSL can be hard to set up, so out of the box, {{book.project.name}} allows non-HTTPS communication over private IP addresses like
localhost, 192.168.x.x, and other private IP addresses. localhost and 192.168.x.x.
In production, you should make sure SSL is enabled and required across the board. In production, you should make sure SSL is enabled and required across the board.
On the adapter/client side, {{book.project.name}} allows you to turn off the SSL trust manager. On the adapter/client side, {{book.project.name}} allows you to turn off the SSL trust manager.