Revision as of 17:59, 26 August 2008 by EoinKeary (Talk | contribs)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents


“Who are you?” Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.

Depending on your requirements, there are several available authentication mechanisms to choose from. If they are not correctly chosen and implemented, the authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.

The following discusses aspects of source code relating to weak authentication functionality. This could be due to flawed implementation or broken business logic: Authentication is a key line of defence in protecting non-public data, sensitive functionality

Weak Passwords and password functionality

Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition. Such checks should be done on the backend/server side of the application upon an attempt to submit a new password.

Bad Example

Simply checking that a password is not NULL is not sufficient:

String password = request.getParameter("Password");
if (password == Null) 
   {throw InvalidPasswordException()

Good Example

Passwords should be checked for the following composition or a variance of such

at least: 1 Upper character (A-Z)
at least: 1 Lower character (a-z)
at least: 1 digit (0-9)
at least one special character (!"£$%&...)
a defined minimum length (8 chars)
a defined maximum length (as with all external input)

no contiguous characters (123abcd)
not more than 2 identical characters in a row (1111)

Such rules should be looked for in code and used as soon as the http request is received. The rules can be complex RegEx expressions or logical code statements:

if password.RegEx([a-z])
   and password.RegEx([A-Z])
   and password.RegEx([0-9])
   and password.RegEx({8-30})
   and password.RexEX([!"£$%^&*()])
   return true;
return false;


.NET Authentication controls

In the .NET, there is Authentication tags in the configuration file.

The <authentication> element configures the authentication mode that your applications use.


The appropriate authentication mode depends on how your application or Web service has been designed. The default Machine.config setting applies a secure Windows authentication default as shown below.

authentication Attributes:mode="[Windows|Forms|Passport|None]"

<authentication mode="Windows" />

Forms Authentication Guidelines To use Forms authentication, set mode=“Forms” on the <authentication> element. Next, configure Forms authentication using the child <forms> element. The following fragment shows a secure <forms> authentication element configuration:

<authentication mode="Forms">
<forms loginUrl="Restricted\login.aspx"      Login page in an SSL protected folder
      protection="All"                      Privacy and integrity
      requireSSL="true"                     Prevents cookie being sent over http
      timeout="10"                          Limited session lifetime
      name="AppNameCookie"                  Unique per-application name
      path="/FormsAuth"                     and path
      slidingExpiration="true" >            Sliding session lifetime

Use the following recommendations to improve Forms authentication security:

  • Partition your Web site.
  • Set protection=“All”.
  • Use small cookie time-out values.
  • Consider using a fixed expiration period.
  • Use SSL with Forms authentication.
  • If you do not use SSL, set slidingExpiration = “false”.
  • Do not use the <credentials> element on production servers.
  • Configure the <machineKey> element.
  • Use unique cookie names and paths.

For classic ASP pages, authentication is usually performed manually by including the user information in session variables after validation against a DB, so you can look for something like:

Session ("UserId") = UserName
Session ("Roles") = UserRoles

Vulnerabilities related to authentication

There are many issues relating to authentication which utilise form fields. Inadequate field validation can give rise to the following issues:

SQL injection can be sued to bypass authentication functionality and even add a malicious user to a system for future use.
Data validation of all external input must be performed. This also goes for authentication fields.
Cross site scripting can be used on the authentication page to perform identity theft, Phishing, and session hijacking attacks
Bad/weak error handling can be used to establish the internal workings of the authentication functionality such as giving insight into the database structure, insight into valid and invalid user ID's etc