Minor corrections/rewrites.
← Older revision
Revision as of 08:22, 22 March 2014
Line 4:
Line 4:
== Summary ==
== Summary ==
−
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication
portal
is visited. This is a convenience for the user.
+
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication
form
is visited. This is a convenience for the user.
<br>
<br>
== Description of the Issue ==
== Description of the Issue ==
−
Whilst a convenience for the user, having
the browser storing passwords is
also
a convenience for an attacker.<br>
+
Having
the browser storing passwords is
not only
a convenience
for end-users, but also
for an attacker.<br>
−
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in
a fully
retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target
authentication portal
web
site
, entering the victim's username, and letting the browser to enter the password.<br>
+
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in
an easily
retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web
application's authentication form
, entering the victim's username, and letting the browser to enter the password.<br>
== Black Box testing and example ==
== Black Box testing and example ==
−
* Enter a username and password in the target authentication
portal
and determine whether the browser asks the user whether they want the password remembered.
+
* Enter a username and password in the target authentication
form
and determine whether the browser asks the user whether they want the password remembered.
−
* View the authentication
portal
's HTML source code and look for the autocomplete="off" attribute in the password form field. The code for this
will usually be along
the following
lines
:
+
* View the authentication
form
's HTML source code and look for the autocomplete="off" attribute in the password form field. The code for this
may resemble
the following:
<pre>
<pre>
<INPUT TYPE="password" AUTOCOMPLETE="off">
<INPUT TYPE="password" AUTOCOMPLETE="off">
</pre>
</pre>
−
*
Also look
for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in
cleartext
, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
+
*
Look
for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in
clear text
, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
−
*
Also look
for other areas where a password may be entered, e.g. a
Change Password
form.
+
*
Look
for other areas where a password may be entered
(and hence be remembered by the browser)
, e.g. a
change password
form.
−
*
Also consider
other sensitive form fields (e.g. an answer to a secret question
, used for Forgotten Password forms
).
+
*
Consider
other sensitive form fields (e.g. an answer to a secret question
that must be entered in a password recovery or account unlock form
).
== Remediation ==
== Remediation ==
−
Any fields that contain sensitive information and passwords should be flagged in the HTML with AUTOCOMPLETE=”off”.<br>
+
Any fields that contain sensitive information and passwords should be flagged in the HTML
source code
with AUTOCOMPLETE=”off”.<br>
−
Moreover no credentials
have
to be stored
,
in
cleartext, into
cookies.
+
Moreover no credentials
should
to be stored in
clear text in
cookies.