Difference between revisions of "Testing for authentication"

From OWASP
Jump to: navigation, search
(Final edit)
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
+
{{Template:OWASP Testing Guide v4}}
  
 
''' 4.5 Authentication Testing '''
 
''' 4.5 Authentication Testing '''
 
----
 
----
 +
  
 
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying her identity. Authentication depends upon one or more authentication factors.
 
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying her identity. Authentication depends upon one or more authentication factors.
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication.  A common example of such a process is the logon process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
 
  
[[Testing for credentials transport (OWASP-AT-001)|4.4.1 Credentials transport over an encrypted channel (OWASP-AT-001)]]<br>
 
Here, the tester will just try to understand if the data that users put into the web form, in order to log into a web site, are transmitted using secure protocols that protect them from an attacker or not. 
 
  
[[Testing for user enumeration  (OWASP-AT-002)|4.4.2 Testing for user enumeration (OWASP-AT-002)]]<br>
+
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication.  A common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
The scope of this test is to verify if it is possible to collect a set of valid users by interacting with the authentication mechanism of the application. This test will be useful for the brute force testing, in which we verify if, given a valid username, it is possible to find the corresponding password.  
+
 
 +
 
 +
[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel  (OTG-AUTHN-001)]]  
 +
 
 +
[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]]
  
[[Testing for Default or Guessable User Account (OWASP-AT-003)|4.4.3 Testing for Guessable (Dictionary) User Account (OWASP-AT-003)]]<br>
+
[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]]
Here we test if there are default user accounts or guessable username/password combinations (dictionary testing)
+
  
[[Testing for Brute Force (OWASP-AT-004)|4.4.4 Brute Force Testing (OWASP-AT-004)]]<br>
+
[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]]  
When a dictionary type attack fails, a tester can attempt to use brute force methods to gain authentication.  Brute force testing is not easy to accomplish for testers because of the time required and the possible lockout of the tester.
+
  
[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.4.5 Testing for bypassing authentication schema (OWASP-AT-005)]]<br>
+
[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]]  
Other passive testing methods attempt to bypass the authentication schema by recognizing that not all of the application's resources are adequately protected.  The tester can access these resources without authentication.
+
  
[[Testing for Vulnerable Remember Password and Pwd Reset  (OWASP-AT-006)|4.4.6 Testing for vulnerable remember
+
[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]]  
password and pwd reset (OWASP-AT-006)]]<br>
+
Here we test how the application manages the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).
+
  
[[Testing for Logout and Browser Cache Management|4.4.7 Testing for Logout and Browser Cache Management (OWASP-AT-007)]]<br>
+
[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]]  
Here we check that the logout and caching functions are properly implemented.
+
  
[[Testing for Captcha|4.4.8 Testing for CAPTCHA (OWASP-AT-008)]]<br>
+
[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]]  
CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. CAPTCHA implementations are often vulnerable to various kinds of attacks even if the generated CAPTCHA is unbreakable. This section will help you to identify these kinds of attacks.
+
  
[[Testing Multiple Factors Authentication|4.4.9 Testing Multiple Factors Authentication (OWASP-AT-009)]]<br>
+
[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]]  
Multiple Factors Authentication means to test the following scenarios: One-time password (OTP) generator tokens, Crypto devices like USB tokens or smart cards, equipped with X.509 certificates, Random OTP sent via SMS, Personal information that only the legitimate user is supposed to know [OUTOFWALLET].
+
  
[[Testing_for_Race_Conditions|4.4.10 Testing for Race Conditions (OWASP-AT-010)]]<br>
+
[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]]
A race condition is a flaw that produces an unexpected result when timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for.
+

Revision as of 09:04, 14 May 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


4.5 Authentication Testing



Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying her identity. Authentication depends upon one or more authentication factors.


In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication. A common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.


4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)

4.5.2 Testing for default credentials (OTG-AUTHN-002)

4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)

4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)

4.5.5 Test remember password functionality (OTG-AUTHN-005)

4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)

4.5.7 Testing for Weak password policy (OTG-AUTHN-007)

4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)

4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)

4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)