Looking for Okta Logos?

You can find all the media assets you need as part of our press room.

Download Media Assets

A Tool to Strengthen Your Password Manager

AndrewLee jpeg
Andrew Lee
Security Engineer

Password managers, such as Okta Browser Plugin can defend against phishing attacks. However, to prevent the compromise of passwords, password managers need to be hardened against attacks that confuse them into misidentifying websites. To help achieve this, the Okta Research and Exploitation team (REX) has created a tool, hack_url_re, to automatically detect certain vulnerabilities in pattern matching code, “regular expressions" in particular, that are often used in password managers to identify websites. It reduces the chances of a subtle mistake slipping past human eyes and making its way into production.

The tool applies sophisticated automated reasoning using the Microsoft Z3 Prover tool by Microsoft. When it reports an issue, hack_url_re outputs a justification for its results that is easy to validate, either automatically or manually. The tool introduces various techniques to achieve a good balance of efficiency, simplicity, and thoroughness, with options for choosing the levels of analysis. The Okta REX team hopes this tool assists you in finding possible vulnerabilities and developing new tools for your own automated hacking.

For the full technical breakdown of hack_url_re, check out my post Using hack_url_re to Auto Detect Website Spoofing Vulnerabilities on our Security blog.

 

 

 

AndrewLee jpeg
Andrew Lee
Security Engineer

Andrew Lee is a security engineer on Okta’s Research and Exploitation (REX) team, where he works with developers to create secure solutions by employing a mix of manual and automated techniques. He is curious about the evolution of all complex systems—from the living to the artificial—and how they develop defenses against exploitation. With a focus on automated reasoning and cryptography, Andrew’s research explores methods that distinguish between the benign and the malicious.

Follow Andrew Lee icon LinkedIn icon GitHub