← Older revision
Revision as of 19:41, 13 June 2013
(One intermediate revision by one user not shown)
Line 17:
Line 17:
Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
−
−
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
+
+
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
−
Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
+
+
Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
−
Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
+
+
Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
−
Consider the business value of the affected data or application functions.
+
+
Consider the business value of the affected data or application functions.
Also consider the business impact of public exposure of the vulnerability.
Also consider the business impact of public exposure of the vulnerability.
+
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2013|language=en}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2013|language=en}}
−
Are session management
assets
like user
credentials and session IDs
properly protected? You may be vulnerable if:
+
The primary
assets
to protect are
credentials and session IDs
.
−
#
User authentication
credentials
aren’t
protected when stored using hashing or encryption
.
See A6.
+
#
Are
credentials
always
protected when stored using hashing or encryption
?
See A6.
−
#
Credentials can
be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)
.
+
#
Can credentials
be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)
?
−
#
Session
IDs
are
exposed in the URL (e.g., URL rewriting)
.
+
#
Are session
IDs exposed in the URL (e.g., URL rewriting)
?
−
#
Session
IDs
are
vulnerable to [https://www.owasp.org/index.php/Session_fixation
session fixation] attacks
.
+
#
Are session
IDs vulnerable to [https://www.owasp.org/index.php/Session_fixation session fixation] attacks
?
−
#
Session
IDs
don’t
timeout
, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
+
#
Do session
IDs timeout
and can users log out?
−
#
Session
IDs
aren’t
rotated after successful login
.
+
#
Are session
IDs rotated after successful login
?
−
#
Passwords
, session IDs, and other credentials
are
sent over
unencrypted
connections
.
See A6.
+
#
Are passwords
, session IDs, and other credentials sent
only
over
TLS
connections
?
See
[[Top 10 2013-
A6
| A6]]
.
−
See the [https://www.owasp.org/index.php/ASVS
ASVS] requirement areas V2 and V3 for more details.
+
See the [https://www.owasp.org/index.php/ASVS ASVS] requirement areas V2 and V3 for more details
.
+
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=2|year=2013|language=en}}
+
The primary recommendation for an organization is to make available to developers:
+
# '''A single set of strong authentication and session management controls.''' Such controls should strive to:
+
## meet all the authentication and session management requirements defined in OWASP’s [https://www.owasp.org/index.php/ASVS Application Security Verification Standard] (ASVS) areas V2 (Authentication) and V3 (Session Management).
+
## have a simple interface for developers. Consider the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs] as good examples to emulate, use, or build upon.
+
# Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3
.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2013|language=en}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2013|language=en}}
'''Scenario #1:''' Airline reservations application supports URL rewriting, putting session IDs in the URL:
'''Scenario #1:''' Airline reservations application supports URL rewriting, putting session IDs in the URL:
−
+
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
h
ttp://
example.com/sale/saleitems
−
{{Top_10_2010:ExampleBeginTemplate|year=2013}}
+
;jsessionid=2P0OC2JSNDLPSKHCJUN2JV
?
dest=Hawaii
−
http://
example.com/sale/saleitems;jsessionid= 2P0OC2JSNDLPSKHCJUN2JV
?
dest=Hawaii
+
{{Top_10_2010:ExampleEndTemplate}}
{{Top_10_2010:ExampleEndTemplate}}
−
An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
+
blank
−
+
−
'''Scenario #2:''' Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
+
−
+
−
'''Scenario #3:''' Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.
+
−
+
−
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2013|language=en}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2013|language=en}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
For a more complete set of requirements and problems to avoid in this area, see the [https://www.owasp.org/index.php/ASVS ASVS requirements areas for Authentication (V2) and Session Management (V3)].
For a more complete set of requirements and problems to avoid in this area, see the [https://www.owasp.org/index.php/ASVS ASVS requirements areas for Authentication (V2) and Session Management (V3)].
−
* [https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Authentication Cheat Sheet]
* [https://www.owasp.org/index.php/Authentication_Cheat_Sheet OWASP Authentication Cheat Sheet]
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Forgot Password Cheat Sheet]
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Forgot Password Cheat Sheet]
* [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Session Management Cheat Sheet]
* [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet OWASP Session Management Cheat Sheet]
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Development Guide: Chapter on Authentication]
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet OWASP Development Guide: Chapter on Authentication]
−
*
[https://www.owasp.org/index.php/Testing_for_authentication OWASP Testing Guide: Chapter on Authentication]
+
* [https://www.owasp.org/index.php/Testing_for_authentication OWASP Testing Guide: Chapter on Authentication]
−
+
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
−
* [http://cwe.mitre.org/data/definitions/
77
.html CWE Entry
77
on
Command Injection
]
+
* [http://cwe.mitre.org/data/definitions/
287
.html
CWE Entry
287
on
Improper Authentication
]
−
* [http://cwe.mitre.org/data/definitions/
89.html CWE Entry 89 on SQL Injection]
+
* [http://cwe.mitre.org/data/definitions/
384
.html CWE Entry
384
on
Session Fixation
]
−
* [http://cwe.mitre.org/data/definitions/564
.html CWE Entry
564
on
Hibernate Injection
]
+
−
+
{{Top_10_2013:BottomAdvancedTemplate
{{Top_10_2013:BottomAdvancedTemplate