Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods"

From OWASP
Jump to: navigation, search
(Created page with "== Weak HTTP Authentication Methods == === Root Cause Summary === Usage of weak HTTP authentication methods makes it easiy for an attacker to obtain logon credentials by inte...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]
 +
 
== Weak HTTP Authentication Methods ==
 
== Weak HTTP Authentication Methods ==
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
Usage of weak HTTP authentication methods makes it easiy for an attacker to obtain logon credentials by intercepting the traffic
+
Usage of weak HTTP authentication methods makes it easy for an attacker to intercept login credentials, replay them to other hosts, and trick users into providing the credentials to the wrong location.
 +
Basic and Digest are considered weak authentication methods: Basic has a weak 'encryption' mechanism and is the least favorable authentication method of the two.
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===
None
+
Define a replacement for HTTP authentication methods that includes at least the following properties:
 +
* Clearly identifies the host that is requesting authentication credentials
 +
* Does not allow authentication over clear-text channels unless the authentication protocol specifically addresses eavesdropping.
 +
* Does not allow authentication transactions to be replayed or authorization tokens to be reused
 +
* Provides chrome which is hard to spoof, with provisions for user-specific images similar to SiteKey or other implementations. Images may be specified by the requesting site, the user profile on the browser, or both.
 +
* Does not allow cross-domain authentication requests by default. If cross-domain authentication is desired by a parent site, a white list of domains which are allowed to be authenticated should be defined by CSP or similar site policy.
  
 
=== Perimeter Solution ===
 
=== Perimeter Solution ===
* Disable the HTTP Basic Access Authentication Scheme
+
Disable and block all authentication methods so that only forms-based authentication and SSL client certificates are allowed.
* Enable NTLM, and Digest Authentication requests
+
  
Complexity: Low<br>
+
Whitelist or proxy all inlined content in order to block malicious authentication requests.
Impact: Medium
+
  
 
=== Generic Framework Solution ===
 
=== Generic Framework Solution ===
None
+
Implement support for features of new standards-based solution, as necessary.
 +
 
 +
Require a whitelist for all inlined 3rd-party content, or load the content by proxy in order to block malicious authentication requests.
  
 
=== Custom Framework Solution ===
 
=== Custom Framework Solution ===
Line 25: Line 33:
 
=== Discussion / Controversy ===
 
=== Discussion / Controversy ===
  
 +
SiteKey is a server-side technique for authentication of the server.
  
 
=== References ===
 
=== References ===
 
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
 
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]
+
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]<br>
 +
[https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go BofA Site Key]<br>
 +
[https://tools.ietf.org/html/draft-williams-http-rest-auth-01 IETF RESTful auth proposal]<br>
 +
[http://datatracker.ietf.org/wg/httpauth/ IETF HTTP Authentication Proposals]<br>
 +
[http://fidoalliance.org/ Fast Identity Online (FIDO) Alliance]

Latest revision as of 19:32, 15 November 2013

Return to Periodic Table Working View

Contents

Weak HTTP Authentication Methods

Root Cause Summary

Usage of weak HTTP authentication methods makes it easy for an attacker to intercept login credentials, replay them to other hosts, and trick users into providing the credentials to the wrong location. Basic and Digest are considered weak authentication methods: Basic has a weak 'encryption' mechanism and is the least favorable authentication method of the two.

Browser / Standards Solution

Define a replacement for HTTP authentication methods that includes at least the following properties:

  • Clearly identifies the host that is requesting authentication credentials
  • Does not allow authentication over clear-text channels unless the authentication protocol specifically addresses eavesdropping.
  • Does not allow authentication transactions to be replayed or authorization tokens to be reused
  • Provides chrome which is hard to spoof, with provisions for user-specific images similar to SiteKey or other implementations. Images may be specified by the requesting site, the user profile on the browser, or both.
  • Does not allow cross-domain authentication requests by default. If cross-domain authentication is desired by a parent site, a white list of domains which are allowed to be authenticated should be defined by CSP or similar site policy.

Perimeter Solution

Disable and block all authentication methods so that only forms-based authentication and SSL client certificates are allowed.

Whitelist or proxy all inlined content in order to block malicious authentication requests.

Generic Framework Solution

Implement support for features of new standards-based solution, as necessary.

Require a whitelist for all inlined 3rd-party content, or load the content by proxy in order to block malicious authentication requests.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

SiteKey is a server-side technique for authentication of the server.

References

HTTP Authentication: Basic and Digest Access Authentication (IETF)
Authentication Cheat Sheet (OWASP)
BofA Site Key
IETF RESTful auth proposal
IETF HTTP Authentication Proposals
Fast Identity Online (FIDO) Alliance