Difference between revisions of "Testing for Weak lock out mechanism (OWASP-AT-004)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...")
 
(One intermediate revision by one user not shown)
Line 2: Line 2:
  
  
== Brief Summary ==
+
== Summary ==
<br>
+
 
..here: we describe in "natural language" what we want to test.
+
Account lockout mechanisms are used to mitigate against brute force password guessing attacks. Accounts are typically locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorised access and protecting users from being denied authorised access. Factors to consider when implementing an account lockout mechanism:
<br>
+
 
== Description of the Issue ==  
+
# What is the risk of brute force password guessing against the application?
<br>
+
# Is a CAPTCHA sufficient to mitigate this risk?
...here: Short Description of the Issue: Topic and Explanation
+
# Number of unsuccessful logon attempts before lockout
<br>
+
# How will accounts be unlocked?
== Black Box testing and example ==
+
## Manually by an administrator
'''Testing for Topic X vulnerabilities:''' <br>
+
## After a period of time. What is the lockout period?
...<br>
+
 
'''Result Expected:'''<br>
+
Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see [[Testing for Weak security question/answer (OTG-AUTHN-008)]]).
...<br><br>
+
 
 +
== Test objectives ==
 +
 
 +
Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.
 +
 
 +
Evaluate the re-activation mechanism's resistance to unauthorised account re-activation.
 +
 
 +
== How to test ==
 +
 
 +
# Number of unsuccessful logon attempts before lockout
 +
# How will accounts be unlocked?
 +
## Manually by an administrator
 +
## After a period of time. What is the lockout period?
 +
 
 +
=== Example ===
 +
 
 +
 
 +
 
 +
== Tools ==
 +
 
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
 
...<br>
+
 
'''Tools'''<br>
+
== Remediation ==
...<br>
+
 
 +
Implement CAPTCHA with the account logon page.
 +
 
 +
Apply account reactivation mechanisms depending on the risk level. In order from lowest to highest assurance:
 +
 
 +
# Time-based lockout and reactivation
 +
# Self-service reactivation (sends reactivation email to registered email address)
 +
# Manual administrator reactivation
 +
# Manual administrator reactivation with positive user identification

Revision as of 08:16, 6 November 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Summary

Account lockout mechanisms are used to mitigate against brute force password guessing attacks. Accounts are typically locked out after 3 to 5 unsuccessful login attempts and can only be unlocked after a predetermined period of time, via a self-service unlock mechanism or intervention by an administrator. Account lockout mechanisms require a balance between protecting accounts from unauthorised access and protecting users from being denied authorised access. Factors to consider when implementing an account lockout mechanism:

  1. What is the risk of brute force password guessing against the application?
  2. Is a CAPTCHA sufficient to mitigate this risk?
  3. Number of unsuccessful logon attempts before lockout
  4. How will accounts be unlocked?
    1. Manually by an administrator
    2. After a period of time. What is the lockout period?

Note that this test should cover all aspects of authentication where lock out mechanisms would be appropriate, e.g. when the user is presented with security questions during forgotten password mechanisms (see Testing for Weak security question/answer (OTG-AUTHN-008)).

Test objectives

Evaluate the account lockout mechanism's ability to mitigate brute force password guessing.

Evaluate the re-activation mechanism's resistance to unauthorised account re-activation.

How to test

  1. Number of unsuccessful logon attempts before lockout
  2. How will accounts be unlocked?
    1. Manually by an administrator
    2. After a period of time. What is the lockout period?

Example

Tools

References

Remediation

Implement CAPTCHA with the account logon page.

Apply account reactivation mechanisms depending on the risk level. In order from lowest to highest assurance:

  1. Time-based lockout and reactivation
  2. Self-service reactivation (sends reactivation email to registered email address)
  3. Manual administrator reactivation
  4. Manual administrator reactivation with positive user identification