Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Weak Authentication Methods"

Jump to: navigation, search
(One intermediate revision by one user not shown)
Line 38: Line 38:
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
[http://tools.ietf.org/html/rfc2617 HTTP Authentication: Basic and Digest Access Authentication (IETF)]<br>
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]<br>
[https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet (OWASP)]<br>
[https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go BofA Site Key]
[https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go BofA Site Key]<br>
[https://tools.ietf.org/html/draft-williams-http-rest-auth-01 IETF RESTful auth proposal]<br>
[http://datatracker.ietf.org/wg/httpauth/ IETF HTTP Authentication Proposals]<br>
[http://fidoalliance.org/ Fast Identity Online (FIDO) Alliance]

Latest revision as of 19:32, 15 November 2013

Return to Periodic Table Working View


Weak HTTP Authentication Methods

Root Cause Summary

Usage of weak HTTP authentication methods makes it easy for an attacker to intercept login credentials, replay them to other hosts, and trick users into providing the credentials to the wrong location. Basic and Digest are considered weak authentication methods: Basic has a weak 'encryption' mechanism and is the least favorable authentication method of the two.

Browser / Standards Solution

Define a replacement for HTTP authentication methods that includes at least the following properties:

  • Clearly identifies the host that is requesting authentication credentials
  • Does not allow authentication over clear-text channels unless the authentication protocol specifically addresses eavesdropping.
  • Does not allow authentication transactions to be replayed or authorization tokens to be reused
  • Provides chrome which is hard to spoof, with provisions for user-specific images similar to SiteKey or other implementations. Images may be specified by the requesting site, the user profile on the browser, or both.
  • Does not allow cross-domain authentication requests by default. If cross-domain authentication is desired by a parent site, a white list of domains which are allowed to be authenticated should be defined by CSP or similar site policy.

Perimeter Solution

Disable and block all authentication methods so that only forms-based authentication and SSL client certificates are allowed.

Whitelist or proxy all inlined content in order to block malicious authentication requests.

Generic Framework Solution

Implement support for features of new standards-based solution, as necessary.

Require a whitelist for all inlined 3rd-party content, or load the content by proxy in order to block malicious authentication requests.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

SiteKey is a server-side technique for authentication of the server.


HTTP Authentication: Basic and Digest Access Authentication (IETF)
Authentication Cheat Sheet (OWASP)
BofA Site Key
IETF RESTful auth proposal
IETF HTTP Authentication Proposals
Fast Identity Online (FIDO) Alliance