Test time synchronisation (OTG-LOG-001)
Without time synchronization across systems it is impossible to correlate events and actions.
In the event of a suspected or actual security incident, it will be necessary to aggregate information for all types of system component event logs and audit trails. This information is vital to investigations and forensic testing. If the web servers' time is adrift this can make event correlation much harder and may invalidate the information.
Incorrect time can also affect some business functions provided by applications that are time-dependent (e.g. deadlines for submissions, expiry of offers, time-limited access controls, auction bids). The modification of server time could be used in some attacks.
The HTTP headers returned by https://www.owasp.org/index.php/Main_Page are:
Date: Tue, 15 Oct 2013 14:11:09 GMT Server: Apache X-Frame-Options: Deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Language: en Vary: Accept-Encoding,Cookie Expires: Wed, 16 Oct 2013 14:11:09 GMT Cache-Control: max-age=86400 Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 200 OK
If the tester's time is the same (e.g. 14:11 GMT+1) then the time is correctly synchronised. The degree of accuracy is application dependent, but it would be unusual to be more than a minute or so adrift for any server that uses robust reference time sources.
Time should be checked at all locations where the application exposes such information:
- Date HTTP header (as above)
- User-visible audit trail timestamps
- Last modified dates/times displayed after additions or updates are made
- Last logged in data where the time is included as well as the day
- Accessible event logs
Web browser and the ability to examine HTTP headers.
Related Test Cases
- Logging Cheat Sheet, OWASP
- SP 800-92 Guide to Computer Security Log Management, NIST
- PCI DSS v2.0 Requirement 10 and PA-DSS v2.0 Requirement 4, PCI Security Standards Council
- NTP: The Network Time Protocol
Ensure the application, application servers, web servers and other supporting infrastructure are configured to synchronize their time with trusted reference time sources.