Difference between revisions of "Top 10 2010-A3-Broken Authentication and Session Management"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
<center>
 
<center>
{| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2;"
+
{| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"  
 
|- style="background-color: #4F81Bd; color: #000000;"
 
|- style="background-color: #4F81Bd; color: #000000;"
! Threat Agents !! Attack Vectors !! Security Weakness !! Weakness Detectability !! Technical Impact !! Business Impacts
+
! Threat Agents !! Attack Vectors
 +
! colspan="2" | Security Weakness
 +
! Technical Impact
 +
! Business Impacts
 
|-  
 
|-  
 
| style="background-color: #D9D9D9; color: #000000;" | ______
 
| style="background-color: #D9D9D9; color: #000000;" | ______
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
+
| style="background-color: #FFB200; color: #000000;" | Exploitability<br>AVERAGE
 
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
 
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
 
| style="background-color: #FFB200; color: #000000;" | Detectability<br>AVERAGE
 
| style="background-color: #FFB200; color: #000000;" | Detectability<br>AVERAGE
| style="background-color: #FF0000; color: #000000;" | Impact<br>SIMPLE
+
| style="background-color: #FF0000; color: #000000;" | Impact<br>SEVERE
 
| style="background-color: #D9D9D9; color: #000000;" | ______
 
| style="background-color: #D9D9D9; color: #000000;" | ______
 
|-
 
|-
|
+
| style="text-align: left; border: 2px solid #FFFFFF;" | Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
|  
+
| style="text-align: left; border: 2px solid #FFFFFF;" | Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
|  
+
| colspan="2" style="text-align: left;border: 2px solid #FFFFFF;" | Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
|  
+
| style="text-align: left; border: 2px solid #FFFFFF;" | Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
|  
+
| style="text-align: left; border: 2px solid #FFFFFF;" | Consider the business value of the affected data or application functions.
|  
+
 
 +
Also consider the business impact of public exposure of the vulnerability.
 
|}
 
|}
 
</center>
 
</center>
  
{{Top_10_2010:SubsectionVulnerableTemplate|Injection|a}}
+
{{Top_10_2010:SubsectionVulnerableTemplate|Broken Authentication and Session Management|
{{Top_10_2010:SubsectionPreventionTemplate|Injection|b}}
+
The primary assets to protect are credentials and session IDs.
{{Top_10_2010:SubsectionExampleTemplate|Injection|c}}
+
#Are credentials always protected when stored using hashing or encryption? See A7.
{{Top_10_2010:SubsectionReferencesTemplate|Injection|d|e}}
+
#Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?
 +
#Are session IDs exposed in the URL (e.g., URL rewriting)?
 +
#Are session IDs vulnerable to session fixation attacks?
 +
#Do session IDs timeout and can users log out?
 +
#Are session IDs rotated after successful login?
 +
#Are passwords, session IDs, and other credentials sent only over TLS connections? See A9.
  
 +
See the [[http://www.owasp.org/index.php/ASVS#tab=Download ASVS]] requirement areas V2 and V3 for more details.
 +
}}
 +
 +
{{Top_10_2010:SubsectionPreventionTemplate|Broken Authentication and Session Management|
 +
 +
}}
 +
 +
{{Top_10_2010:SubsectionExampleTemplate|Broken Authentication and Session Management|}}
 +
 +
 +
{{Top_10_2010:SubsectionReferencesTemplate|Broken Authentication and Session Management|
 +
 +
|
  
{{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+
}}
 +
<br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

Revision as of 19:13, 18 April 2010

««««
Top 10 Introduction
Top 10 Risks
»»»»
Threat Agents Attack Vectors Security Weakness Technical Impact Business Impacts
______ Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
______
Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions. Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique. Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted. Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Am I Vulnerable to Broken Authentication and Session Management?

The primary assets to protect are credentials and session IDs.

  1. Are credentials always protected when stored using hashing or encryption? See A7.
  2. Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?
  3. Are session IDs exposed in the URL (e.g., URL rewriting)?
  4. Are session IDs vulnerable to session fixation attacks?
  5. Do session IDs timeout and can users log out?
  6. Are session IDs rotated after successful login?
  7. Are passwords, session IDs, and other credentials sent only over TLS connections? See A9.

See the [ASVS] requirement areas V2 and V3 for more details.


How Do I Prevent Broken Authentication and Session Management?

Example Attack Scenarios

References


««««
Top 10 Introduction
Top 10 Risks
»»»»

© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png