Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods"

From OWASP
Jump to: navigation, search
m
Line 4: Line 4:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
Usage of weak HTTP authentication methods makes it easiy for an attacker to obtain logon credentials by intercepting the traffic
+
Usage of weak HTTP authentication methods makes it easy for an attacker to intercept login credentials, replay them to other hosts, and trick users into providing the credentials to the wrong location.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
None
+
Define a replacement for HTTP authentication methods that includes at least the following properties:
 +
* Clearly identifies the host that is requesting authentication credentials
 +
* Does not allow authentication over clear-text channels unless the authentication protocol specifically addresses eavesdropping.
 +
* Does not allow authentication transactions to be replayed or authorization tokens to be reused
 +
* Provides chrome which is hard to spoof, with provisions for user-specific images similar to SiteKey or other implementations. Images may be specified by the requesting site, the user profile on the browser, or both.
 +
* Does not allow cross-domain authentication requests by default. If cross-domain authentication is desired by a parent site, a white list of domains which are allowed to be authenticated should be defined by CSP or similar site policy.
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
* Disable the HTTP Basic Access Authentication Scheme
+
Disable and block all authentication methods so that only forms-based authentication and SSL client certificates are allowed.
* Enable Digest Authentication on the webserver
+
  
Complexity: Low<br>
+
Whitelist or proxy all inlined content in order to block malicious authentication requests.
Impact: Medium
+
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
None
+
Implement support for features of new standards-based solution, as necessary.
 +
 
 +
Require a whitelist for all inlined 3rd-party content, or load the content by proxy in order to block malicious authentication requests.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 30: Line 35:
 
=== References ===
 
=== References ===
 
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
 
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]
+
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]<br>
 +
[https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go BofA Site Key]

Revision as of 15:34, 15 May 2013

Return to Periodic Table Working View

Weak HTTP Authentication Methods

Root Cause Summary

Usage of weak HTTP authentication methods makes it easy for an attacker to intercept login credentials, replay them to other hosts, and trick users into providing the credentials to the wrong location.

Browser / Standards Solution

Define a replacement for HTTP authentication methods that includes at least the following properties:

  • Clearly identifies the host that is requesting authentication credentials
  • Does not allow authentication over clear-text channels unless the authentication protocol specifically addresses eavesdropping.
  • Does not allow authentication transactions to be replayed or authorization tokens to be reused
  • Provides chrome which is hard to spoof, with provisions for user-specific images similar to SiteKey or other implementations. Images may be specified by the requesting site, the user profile on the browser, or both.
  • Does not allow cross-domain authentication requests by default. If cross-domain authentication is desired by a parent site, a white list of domains which are allowed to be authenticated should be defined by CSP or similar site policy.

Perimeter Solution

Disable and block all authentication methods so that only forms-based authentication and SSL client certificates are allowed.

Whitelist or proxy all inlined content in order to block malicious authentication requests.

Generic Framework Solution

Implement support for features of new standards-based solution, as necessary.

Require a whitelist for all inlined 3rd-party content, or load the content by proxy in order to block malicious authentication requests.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

References

HTTP Authentication: Basic and Digest Access Authentication (IETF)
Authentication Cheat Sheet (OWASP)
BofA Site Key