Test time synchronisation (OTG-LOG-001)

From OWASP
Revision as of 09:25, 15 October 2013 by Clerkendweller (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Brief Description

Without time synchronization across systems it is impossible to correlate events and actions.

Issue

In the event of a suspected or actual security incident, it will be necessary to aggregate information for all types of system component event logs and audit trails. This information is vital to investigations and forensic testing. If the web servers' time is adrift this can make event correlation much harder and may invalidate the information.

Incorrect time can also affect some business functions provided by applications that are time-dependent (e.g. deadlines for submissions, expiry of offers, time-limited access controls, auction bids). The modification of server time could be used in some attacks.

Example

The HTTP headers returned by https://www.owasp.org/index.php/Main_Page are:

Date: Tue, 15 Oct 2013 14:11:09 GMT
Server: Apache
X-Frame-Options: Deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Language: en
Vary: Accept-Encoding,Cookie
Expires: Wed, 16 Oct 2013 14:11:09 GMT
Cache-Control: max-age=86400
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
200 OK

If the tester's time is the same (e.g. 14:11 GMT+1) then the time is correctly synchronised. The degree of accuracy is application dependent, but it would be unusual to be more than a minute or so adrift for any server that uses robust reference time sources.

Testing Method

Time should be checked at all locations where the application exposes such information:

  • Date HTTP header (as above)
  • User-visible audit trail timestamps
  • Last modified dates/times displayed after additions or updates are made
  • Last logged in data where the time is included as well as the day
  • Accessible event logs

Test Tools

Web browser and the ability to examine HTTP headers.

Related Test Cases

None.

References

Remediation

Ensure the application, application servers, web servers and other supporting infrastructure are configured to synchronize their time with trusted reference time sources.