Difference between revisions of "Top 10 2013-A2-Broken Authentication and Session Management"

From OWASP
Jump to: navigation, search
m (Added < /br > in References)
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Top_10_2013:TopTemplate
 
{{Top_10_2013:TopTemplate
 
     |usenext=2013NextLink
 
     |usenext=2013NextLink
     |next={{Top_10_2010:ByTheNumbers
+
     |next=A3-{{Top_10_2010:ByTheNumbers
 
               |3
 
               |3
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 
     |useprev=2013PrevLink
 
     |useprev=2013PrevLink
     |prev={{Top_10_2010:ByTheNumbers
+
     |prev=A1-{{Top_10_2010:ByTheNumbers
 
               |1
 
               |1
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 +
    |year=2013
 +
    |language=en
 
}}
 
}}
  
{{Top_10_2010:SummaryTableHeaderBeginTemplate}}
+
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE}}
+
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=1|detectability=2|impact=1|year=2013|language=en}}
{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|WIDESPREAD}}
+
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE}}
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
{{Top_10_2010:SummaryTableValue-1-Template|Impact|SEVERE}}
+
Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
{{Top_10_2010:SummaryTableHeaderEndTemplate}}
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.
+
 
</td>
 
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
 +
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.
 +
 
 
</td>
 
</td>
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
+
     <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
 +
Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
 +
 
 
</td>
 
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws may allow some or even <u>all</u> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
 +
Such flaws may allow some or even <u>all</u> accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.
 +
 
 
</td>
 
</td>
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the affected data or application functions.
+
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>
 +
Consider the business value of the affected data or application functions.
 +
 
 
Also consider the business impact of public exposure of the vulnerability.
 
Also consider the business impact of public exposure of the vulnerability.
 +
 
</td>
 
</td>
{{Top_10_2010:SummaryTableEndTemplate}}
+
{{Top_10_2010:SummaryTableEndTemplate|year=2013}}
  
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2013}}
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2013|language=en}}
The primary assets to protect are credentials and session IDs.
+
Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:
# Are credentials always protected when stored using hashing or encryption? See A6.
+
# User authentication credentials aren’t protected when stored using hashing or encryption. See A6.
# Can credentials be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs)?
+
# Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
# Are session IDs exposed in the URL (e.g., URL rewriting)?
+
# Session IDs are exposed in the URL (e.g., URL rewriting).
# Are session IDs vulnerable to [https://www.owasp.org/index.php/Session_fixation session fixation] attacks?
+
# Session IDs are vulnerable to [https://www.owasp.org/index.php/Session_fixation session fixation] attacks.
# Do session IDs timeout and can users log out?
+
# Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on  (SSO) tokens, aren’t properly invalidated during logout.
# Are session IDs rotated after successful login?
+
# Session IDs aren’t rotated after successful login.
# Are passwords, session IDs, and other credentials sent only over TLS connections? See [[Top 10 2013-A6 | A6]].
+
# Passwords, session IDs, and other credentials are sent over unencrypted connections. See A6.
 
See the [https://www.owasp.org/index.php/ASVS ASVS] requirement areas V2 and V3 for more details.
 
See the [https://www.owasp.org/index.php/ASVS ASVS] requirement areas V2 and V3 for more details.
  
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=2|year=2013}}
+
 
 +
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=2|year=2013|language=en}}
 
The primary recommendation for an organization is to make available to developers:
 
The primary recommendation for an organization is to make available to developers:
 
# '''A single set of strong authentication and session management controls.''' Such controls should strive to:
 
# '''A single set of strong authentication and session management controls.''' Such controls should strive to:
## meet all the authentication and session management requirements defined in OWASP’s [https://www.owasp.org/index.php/ASVS Application Security Verification Standard] (ASVS) areas V2 (Authentication) and V3 (Session Management).
+
## meet all the authentication and session management requirements defined in OWASP’s [https://www.owasp.org/index.php/ASVS Application Security Verification Standard] (ASVS) areas V2 (Authentication) and V3 (Session Management).
## have a simple interface for developers. Consider the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs] as good examples to emulate, use, or build upon.
+
## have a simple interface for developers. Consider the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs] as good examples to emulate, use, or build upon.
 
# Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3.
 
# Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3.
#blankBullet1
+
 
#blankBullet2
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2013|language=en}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2013}}
+
'''Scenario #1:''' Airline reservations application supports URL rewriting, putting session IDs in the URL:
blank
+
{{Top_10_2010:ExampleBeginTemplate|year=2013}}<nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">
{{Top_10_2010:ExampleBeginTemplate}}<span style="color:red;">blank code</span>{{Top_10_2010:ExampleEndTemplate}}
+
;jsessionid=2P0OC2JSNDLPSKHCJUN2JV</span>
blank
+
?dest=Hawaii
{{Top_10_2010:ExampleBeginTemplate}}<nowiki>http://example.com/app/accountView?id=</nowiki><span style="color: red;">' or '1'='1</span>{{Top_10_2010:ExampleEndTemplate}}
+
{{Top_10_2010:ExampleEndTemplate}}
blank
+
An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2013}}
+
 
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
+
'''Scenario #2:''' Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
* [[SQL_Injection_Prevention_Cheat_Sheet | OWASP SQL Injection Prevention Cheat Sheet]]
+
 
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html ESAPI Encoder API]
+
'''Scenario #3:''' Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}
+
 
* [http://cwe.mitre.org/data/definitions/77.html CWE Entry 77 on Command Injection]
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2013|language=en}}
* [http://cwe.mitre.org/data/definitions/89.html CWE Entry 89 on SQL Injection]
+
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}<br/>
 +
For a more complete set of requirements and problems to avoid in this area, see the [https://www.owasp.org/index.php/ASVS  ASVS requirements areas for Authentication (V2) and Session Management (V3)].
 +
* [https://www.owasp.org/index.php/Authentication_Cheat_Sheet  OWASP Authentication Cheat Sheet]
 +
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet  OWASP Forgot Password Cheat Sheet]
 +
* [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet  OWASP Session Management Cheat Sheet]
 +
* [https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet  OWASP Development Guide: Chapter on Authentication]
 +
* [https://www.owasp.org/index.php/Testing_for_authentication  OWASP Testing Guide: Chapter on Authentication]
 +
 
 +
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|language=en}}
 +
* [http://cwe.mitre.org/data/definitions/287.html CWE Entry 287 on Improper Authentication]
 +
* [http://cwe.mitre.org/data/definitions/384.html CWE Entry 384 on Session Fixation]
  
 
{{Top_10_2013:BottomAdvancedTemplate
 
{{Top_10_2013:BottomAdvancedTemplate
 
     |type={{Top_10_2010:StyleTemplate}}
 
     |type={{Top_10_2010:StyleTemplate}}
 
     |usenext=2013NextLink
 
     |usenext=2013NextLink
     |next={{Top_10_2010:ByTheNumbers
+
     |next=A3-{{Top_10_2010:ByTheNumbers
 
               |3
 
               |3
               |year=2013}}
+
               |year=2013
 +
              |language=en}}
 
     |useprev=2013PrevLink
 
     |useprev=2013PrevLink
     |prev={{Top_10_2010:ByTheNumbers
+
     |prev=A1-{{Top_10_2010:ByTheNumbers
 
               |1
 
               |1
               |year=2013}}}}
+
               |year=2013
 
+
              |language=en}}
[[Category:OWASP Top Ten Project]]
+
    |year=2013
 +
    |language=en
 +
}}

Latest revision as of 15:52, 23 June 2013

← A1-Injection
2013 Table of Contents

2013 Top 10 List

A3-Cross-Site Scripting (XSS) →
Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
Application Specific Exploitability
AVERAGE
Prevalence
WIDESPREAD
Detectability
AVERAGE
Impact
SEVERE
Application / Business Specific

Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Also consider insiders wanting to disguise their actions.

Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users.

Developers frequently build custom authentication and session management schemes, but building these correctly is hard. As a result, these custom schemes frequently have flaws in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.

Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Privileged accounts are frequently targeted.

Consider the business value of the affected data or application functions.

Also consider the business impact of public exposure of the vulnerability.

Am I Vulnerable To 'Broken Authentication and Session Management'?

Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:

  1. User authentication credentials aren’t protected when stored using hashing or encryption. See A6.
  2. Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
  3. Session IDs are exposed in the URL (e.g., URL rewriting).
  4. Session IDs are vulnerable to session fixation attacks.
  5. Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
  6. Session IDs aren’t rotated after successful login.
  7. Passwords, session IDs, and other credentials are sent over unencrypted connections. See A6.

See the ASVS requirement areas V2 and V3 for more details.


How Do I Prevent 'Broken Authentication and Session Management'?

The primary recommendation for an organization is to make available to developers:

  1. A single set of strong authentication and session management controls. Such controls should strive to:
    1. meet all the authentication and session management requirements defined in OWASP’s Application Security Verification Standard (ASVS) areas V2 (Authentication) and V3 (Session Management).
    2. have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as good examples to emulate, use, or build upon.
  2. Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A3.
Example Attack Scenarios

Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL:

http://example.com/sale/saleitems
jsessionid=2P0OC2JSNDLPSKHCJUN2JV

?dest=Hawaii

An authenticated user of the site wants to let his friends know about the sale. He e-mails the above link without knowing he is also giving away his session ID. When his friends use the link they will use his session and credit card.

Scenario #2: Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.

Scenario #3: Insider or external attacker gains access to the system’s password database. User passwords are not properly hashed, exposing every users’ password to the attacker.

References

OWASP
For a more complete set of requirements and problems to avoid in this area, see the ASVS requirements areas for Authentication (V2) and Session Management (V3).

External

← A1-Injection
2013 Table of Contents

2013 Top 10 List

A3-Cross-Site Scripting (XSS) →

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png