OWASP - User contributions [en]

Cornucopia - Ecommerce Website Edition - Wiki Deck

2016-05-17T19:44:41Z

Dariodf:

__NOTOC__
Wiki Card Deck conceived and created by Darío De Filippis.

= Versioning =

This wiki deck relates to version 1.10 EN of [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia] Ecommerce Website Edition (currently the only edition). The cards are available in other formats (DOC, PDF, print) from the main project pages.

The cross-references relate to the following versions of other OWASP and external resources:

* OWASP SCP [[OWASP_Secure_Coding_Practices_Checklist]] v2
* OWASP ASVS [[OWASP_Application_Security_Verification_Standard]] v2 (2014)
* OWASP AppSensor [[AppSensor_DetectionPoints]]
* CAPEC [https://capec.mitre.org Mitre Common Attack Pattern Enumeration and Classification] v1.7.1
* SAFECode [[SAFECode_Practical_Security_Stories|SAFECode Practical Security Stories and Security Tasks for Agile Development Environments]] July 2012

= Deck =

== <span style="padding:5px;background:#929292;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_VE|<span style="color:white;">Data validation and encoding (VE)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_VE_2|2]] [[Cornucopia_-_Ecommerce_Website_-_VE_3|3]] [[Cornucopia_-_Ecommerce_Website_-_VE_4|4]] [[Cornucopia_-_Ecommerce_Website_-_VE_5|5]] [[Cornucopia_-_Ecommerce_Website_-_VE_6|6]] [[Cornucopia_-_Ecommerce_Website_-_VE_7|7]] [[Cornucopia_-_Ecommerce_Website_-_VE_8|8]] [[Cornucopia_-_Ecommerce_Website_-_VE_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_VE_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_VE_J|J]] [[Cornucopia_-_Ecommerce_Website_-_VE_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_VE_K|K]] [[Cornucopia_-_Ecommerce_Website_-_VE_A|A]]</span>

== <span style="padding:5px;background:#73abcc;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AT|<span style="color:white;">Authentication (AT)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AT_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AT_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AT_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AT_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AT_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AT_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AT_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AT_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AT_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AT_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AT_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AT_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AT_A|A]]</span>

== <span style="padding:5px;background:#98c477;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_SM|<span style="color:white;">Session management (SM)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_SM_2|2]] [[Cornucopia_-_Ecommerce_Website_-_SM_3|3]] [[Cornucopia_-_Ecommerce_Website_-_SM_4|4]] [[Cornucopia_-_Ecommerce_Website_-_SM_5|5]] [[Cornucopia_-_Ecommerce_Website_-_SM_6|6]] [[Cornucopia_-_Ecommerce_Website_-_SM_7|7]] [[Cornucopia_-_Ecommerce_Website_-_SM_8|8]] [[Cornucopia_-_Ecommerce_Website_-_SM_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_SM_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_SM_J|J]] [[Cornucopia_-_Ecommerce_Website_-_SM_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_SM_K|K]] [[Cornucopia_-_Ecommerce_Website_-_SM_A|A]]</span>

== <span style="padding:5px;background:#d9c049;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AZ|<span style="color:white;">Authorization (AZ)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AZ_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AZ_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AZ_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AZ_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AZ_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AZ_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AZ_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AZ_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AZ_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AZ_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AZ_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AZ_A|A]]</span>

== <span style="padding:5px;background:#a395ca;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_CR|<span style="color:white;">Cryptography (CR)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_CR_2|2]] [[Cornucopia_-_Ecommerce_Website_-_CR_3|3]] [[Cornucopia_-_Ecommerce_Website_-_CR_4|4]] [[Cornucopia_-_Ecommerce_Website_-_CR_5|5]] [[Cornucopia_-_Ecommerce_Website_-_CR_6|6]] [[Cornucopia_-_Ecommerce_Website_-_CR_7|7]] [[Cornucopia_-_Ecommerce_Website_-_CR_8|8]] [[Cornucopia_-_Ecommerce_Website_-_CR_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_CR_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_CR_J|J]] [[Cornucopia_-_Ecommerce_Website_-_CR_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_CR_K|K]] [[Cornucopia_-_Ecommerce_Website_-_CR_A|A]]</span>

== <span style="padding:5px;background:#17365d;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_C|<span style="color:white;">Cornucopia (C)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_C_2|2]] [[Cornucopia_-_Ecommerce_Website_-_C_3|3]] [[Cornucopia_-_Ecommerce_Website_-_C_4|4]] [[Cornucopia_-_Ecommerce_Website_-_C_5|5]] [[Cornucopia_-_Ecommerce_Website_-_C_6|6]] [[Cornucopia_-_Ecommerce_Website_-_C_7|7]] [[Cornucopia_-_Ecommerce_Website_-_C_8|8]] [[Cornucopia_-_Ecommerce_Website_-_C_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_C_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_C_J|J]] [[Cornucopia_-_Ecommerce_Website_-_C_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_C_K|K]] [[Cornucopia_-_Ecommerce_Website_-_C_A|A]]</span>

== <span style="padding:5px;background:#fbbb7b;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_W|<span style="color:white;">Wild Card (W)</span>]]</span> ==

<span style="font-size:125%;">[[Cornucopia_-_Ecommerce_Website_-_W_Joker_A|Joker (A)]]<span style="letter-spacing: 0.15em;"> </span>[[Cornucopia_-_Ecommerce_Website_-_W_Joker_B|Joker (B)]]</span>

[[Category: Attack]] [[Category: Threat_Modeling]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-1]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

Cornucopia - Ecommerce Website - CR 5

2016-03-29T20:37:57Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 5</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_5.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 5

=== Description: ===

Kyle can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected).

=== Technical Note: ===

Cryptographic function errors always need to result in rejection. It is also useful to log (associated with the user's identity if possible) and flag these as possibly malicious activity for further analysis, or as input for application intrusion detection systems.

NB: Unlike [[Cornucopia_-_Ecommerce_Website_-_CR|other cards in this suit]], CR 5 assumes that cryptographic functions are in place, however they do not correctly respond to errors.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#103|103]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.2|7.2]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/97.html 97]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#145|145]]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_4|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_6|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 2

2016-03-29T20:37:38Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 2</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_2.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 2

=== Description: ===

Kyun can access data because it has been obfuscated rather than using an approved cryptographic function.

=== Technical Note: ===

There is no substitute for a proper, approved, cryptographic function where data needs to be protected at rest or in transit. Obfuscation is rarely the correct choice. Use standard-approved functions and consider all cryptographic management requirements (e.g. key creation, distribution, protection, replacement, retirement).

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#105|105]]</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#133|133]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#135|135]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_A|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_3|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 10

2016-03-29T20:32:47Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 10</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_10.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 10

=== Description: ===

Richard can bypass the centralized authorization controls since they are not being used comprehensively on all interactions.

=== Technical Note: ===

Centralized authorization routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. Such routines can be tested independently of other code and not only provide assurance on the quality, but also make refactorization an easy task and eliminate code duplicates and bad interpretations.

Server side implementation and presentation layer representations of access control rules must match.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#78|78]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>[[AppSensor_DetectionPoints#ACE1|ACE1]]</td>
<td>[https://capec.mitre.org/data/definitions/36.html 36]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#91|91]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.12|4.12]]</td>
<td>[[AppSensor_DetectionPoints#ACE2|ACE2]]</td>
<td>[https://capec.mitre.org/data/definitions/95.html 95]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#ACE3|ACE3]]</td>
<td>[https://capec.mitre.org/data/definitions/121.html 121]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#ACE4|ACE4]]</td>
<td>[https://capec.mitre.org/data/definitions/179.html 179]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_9|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_J|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 4

2016-03-29T20:21:20Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 4</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_4.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 4

=== Description: ===

Kelly can bypass authorization controls because they do not fail securely (i.e. they default to allowing access).

=== Technical Note: ===

Once an authorization failure is detected, access needs to be blocked. It is also useful to log (associated with the user's identity if possible) and flag these as possibly malicious activity for further analysis, or as input for application intrusion detection systems.

NB: the key concept for this card is allowing access, even though authorization checks were undertaken and detected a failure. See [[Cornucopia_-_Ecommerce_Website_-_AT_8|AT 8]] for the similar authentication failure.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#79|79]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.8|4.8]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/122.html 122]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#80|80]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_5|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 3

2016-03-29T20:18:35Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 3</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_3.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 3

=== Description: ===

Christian can access information, which they should not have permission to, through another mechanism that does have permission (e.g. search indexer, logger, reporting), or because it is cached, or kept for longer than necessary, or other information leakage.

=== Technical Note: ===

The attacker themselves is not permitted direct access, but has access to something, that had or has access to information. Consider all accounts/roles and what access privileges they have, and whether a user in one role can utilise another role. Create an Access Control Policy to document an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled. This includes identifying access requirements for both the data and system resources.

This card also includes considerations of access to residual information such as cached data, data stored temporarily, and the inadequate deletion of information that is no longer required (and has passed its required retention period).

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#51|51]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/69.html 69]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#100|100]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#8.10|8.10]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/213.html 213]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#135|135]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.1|9.1]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#139|139]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.2|9.2]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#140|140]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.3|9.3]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#141|141]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.4|9.4]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#150|150]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.5|9.5]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#9.6|9.6]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#17.18|17.18]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_2|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_4|Next Card »]] </div>

Cornucopia - Ecommerce Website - VE 10

2016-03-29T20:07:08Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 10</span>}}
[[File:Cornucopia_-_Ecommerce_Website_VE_10.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]]

'''Card/Value:''' 10

=== Description: ===

Jerry can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Jerry can pretend to be Colin).

=== Technical Note: ===

Trust management is a popular technique for implementing information security, and specifically for access control policies. All data sources of an application are be classified into groups with varying degrees of trust. When doing this, it is imperative to ensure that trusted sources cannot be spoofed. This spoofing can be done in many ways:
* Reflection attack.
* Principal Spoof.
* JSON Hijacking.
* Registry Poisoning.
* MITM.
* XSS.
Attackers that are identified as trusted users or that are in a trusted zone with bad authentication techniques can do all sorts of things, depending on the services, such as:
* Sniffing.
* Data tampering.
* Code Injection.
* DoS.

=== References: ===

<table class="wikitable" style="text-align:center;">

<tr>
<th>OWASP SCP </th>
<th>OWASP ASVS </th>
<th>OWASP AppSensor </th>
<th>CAPEC </th>
<th>SAFECODE </th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#2|2]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#10.6|10.6]]</td>
<td>[[AppSensor_DetectionPoints#IE4|IE4]]</td>
<td>[https://capec.mitre.org/data/definitions/12.html 12]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#19|19]]</td>
<td> </td>
<td>[[AppSensor_DetectionPoints#IE5|IE5]]</td>
<td>[https://capec.mitre.org/data/definitions/51.html 51]</td>
<td> </td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#92|92]]</td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/57.html 57]</td>
<td> </td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#95|95]]</td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/90.html 90]</td>
<td> </td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#180|180]]</td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/111.html 111]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/145.html 145]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/194.html 194]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/195.html 195]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/202.html 202]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/218.html 218]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td> </td>
<td>[https://capec.mitre.org/data/definitions/463.html 463]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_VE_9|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_VE_J|Next Card »]] </div>

Cornucopia - Ecommerce Website - VE 4

2016-03-29T20:02:13Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#929292;">Cornucopia - Ecommerce Website - VE 4</span>}}
[[File:Cornucopia_-_Ecommerce_Website_VE_4.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]]

'''Card/Value:''' 4

=== Description: ===

Dave can input malicious field names or data because it is not being checked within the context of the current user and process.

=== Technical Note: ===

Malicious data can be introduced voluntarily (as part of an attack) or involuntarily (e.g. XSS). Some input checks should be dependent upon the function or user's context (e.g. the data is valid for one user but not another). There are many alternatives to this kind of attack:
* Tampering request types, URLs, cookies, session identifiers, fields or values that are not validated.
* Adding, removing or duplicating request fields or values to exploit code behaviour (e.g. mass parameter assignment, parameter pollution, passing partial authentication data).
* Sending requests that are processed independently of the user activities (stage, amount of requests, privileges).
* Fuzzing a file input.
Depending of the target of the attack, the results of this type of input varies widely:
* Information disclosure (error logs, system responses, etc.).
* Operations tampering (SQLi, eShoplifting).
* Denial of Service.
* Spoofing.
* Code execution.

NB: This card relates to '''context-specific input validation'''. See [[Cornucopia_-_Ecommerce_Website_-_VE_3|VE 3]] for the similar generic input validation checks.

=== References: ===

<table class="wikitable" style="text-align:center;">

<tr>
<th>OWASP SCP </th>
<th>OWASP ASVS </th>
<th>OWASP AppSensor </th>
<th>CAPEC </th>
<th>SAFECODE </th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#8|8]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#5.17|5.17]]</td>
<td>[[AppSensor_DetectionPoints#RE3|RE3]]</td>
<td>[https://capec.mitre.org/data/definitions/28.html 28]</td>
<td>[[SAFECode_Practical_Security_Stories#24|24]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#10|10]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#15.2|15.2]]</td>
<td>[[AppSensor_DetectionPoints#RE4|RE4]]</td>
<td>[https://capec.mitre.org/data/definitions/31.html 31]</td>
<td>[[SAFECode_Practical_Security_Stories#35|35]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#183|183]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#15.3|15.3]]</td>
<td>[[AppSensor_DetectionPoints#RE5|RE5]]</td>
<td>[https://capec.mitre.org/data/definitions/48.html 48]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td>[[OWASP_Application_Security_Verification_Standard#15.10|15.10]]</td>
<td>[[AppSensor_DetectionPoints#RE6|RE6]]</td>
<td>[https://capec.mitre.org/data/definitions/126.html 126]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#AE8|AE8]]</td>
<td>[https://capec.mitre.org/data/definitions/162.html 162]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#AE9|AE9]]</td>
<td>[https://capec.mitre.org/data/definitions/165.html 165]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#AE10|AE10]]</td>
<td>[https://capec.mitre.org/data/definitions/213.html 213]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#AE11|AE11]]</td>
<td>[https://capec.mitre.org/data/definitions/220.html 220]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#SE1|SE1]]</td>
<td>[https://capec.mitre.org/data/definitions/221.html 221]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#SE3|SE3]]</td>
<td>[https://capec.mitre.org/data/definitions/261.html 261]</td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#SE4|SE4]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#SE5|SE5]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#SE6|SE6]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#IE2|IE2]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#IE3|IE3]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#IE4|IE4]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#HT1|HT1]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#HT2|HT2]]</td>
<td> </td>
<td> </td>
</tr>

<tr>
<td> </td>
<td> </td>
<td>[[AppSensor_DetectionPoints#HT3|HT3]]</td>
<td> </td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_VE_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_VE|Data Validation and Encoding]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_VE_5|Next Card »]] </div>

Cornucopia - Ecommerce Website - AT 7

2016-03-29T19:50:51Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 7</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AT_7.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]]

'''Card/Value:''' 7

=== Description: ===

Cecilia can use brute force and dictionary attacks against one or many accounts without limit, or these attacks are simplified due to insufficient complexity, length, expiration and re-use requirements for passwords.

=== Technical Note: ===

Attacks should be prevented from being able to obtain valid account credentials by using the application in an unintended manner. This includes credential cracking (identifying valid login credentials by trying different values for usernames and/or passwords) and credential stuffing (mass log in attempts used to verify the validity of stolen username/password pairs).

NB: This card relates to '''passwords'''. See [[Cornucopia_-_Ecommerce_Website_-_AT_4|AT 4]] for the similar user name attacks.

=== References: ===

<table class="wikitable" style="text-align:center;">

<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#33|33]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#2.7|2.7]]</td>
<td>[[AppSensor_DetectionPoints#AE2|AE2]]</td>
<td>[https://capec.mitre.org/data/definitions/2.html 2]</td>
<td>[[SAFECode_Practical_Security_Stories#27|27]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#38|38]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#2.20|2.20]]</td>
<td>[[AppSensor_DetectionPoints#AE3|AE3]]</td>
<td>[https://capec.mitre.org/data/definitions/16.html 16]</td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#39|39]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#2.25|2.25]]</td>
<td></td>
<td></td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#41|41]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#50|50]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#53|53]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_6|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_8|Next Card »]] </div>

Cornucopia - Ecommerce Website Edition - Wiki Deck

2016-01-21T17:06:05Z

Dariodf:

__NOTOC__
Wiki card deck conceived and created by Darío De Filippis.

= Versioning =

This wiki deck relates to version 1.10 EN of [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia] Ecommerce Website Edition (currently the only edition). The cards are available in other formats (DOC, PDF, print) from the main project pages.

The cross-references relate to the following versions of other OWASP and external resources:

* OWASP SCP [[OWASP_Secure_Coding_Practices_Checklist]] v2
* OWASP ASVS [[OWASP_Application_Security_Verification_Standard]] v2 (2014)
* OWASP AppSensor [[AppSensor_DetectionPoints]]
* CAPEC [https://capec.mitre.org Mitre Common Attack Pattern Enumeration and Classification] v1.7.1
* SAFECode [[SAFECode_Practical_Security_Stories|SAFECode Practical Security Stories and Security Tasks for Agile Development Environments]] July 2012

= Deck =

== <span style="padding:5px;background:#929292;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_VE|<span style="color:white;">Data validation and encoding (VE)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_VE_2|2]] [[Cornucopia_-_Ecommerce_Website_-_VE_3|3]] [[Cornucopia_-_Ecommerce_Website_-_VE_4|4]] [[Cornucopia_-_Ecommerce_Website_-_VE_5|5]] [[Cornucopia_-_Ecommerce_Website_-_VE_6|6]] [[Cornucopia_-_Ecommerce_Website_-_VE_7|7]] [[Cornucopia_-_Ecommerce_Website_-_VE_8|8]] [[Cornucopia_-_Ecommerce_Website_-_VE_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_VE_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_VE_J|J]] [[Cornucopia_-_Ecommerce_Website_-_VE_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_VE_K|K]] [[Cornucopia_-_Ecommerce_Website_-_VE_A|A]]</span>

== <span style="padding:5px;background:#73abcc;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AT|<span style="color:white;">Authentication (AT)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AT_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AT_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AT_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AT_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AT_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AT_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AT_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AT_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AT_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AT_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AT_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AT_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AT_A|A]]</span>

== <span style="padding:5px;background:#98c477;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_SM|<span style="color:white;">Session management (SM)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_SM_2|2]] [[Cornucopia_-_Ecommerce_Website_-_SM_3|3]] [[Cornucopia_-_Ecommerce_Website_-_SM_4|4]] [[Cornucopia_-_Ecommerce_Website_-_SM_5|5]] [[Cornucopia_-_Ecommerce_Website_-_SM_6|6]] [[Cornucopia_-_Ecommerce_Website_-_SM_7|7]] [[Cornucopia_-_Ecommerce_Website_-_SM_8|8]] [[Cornucopia_-_Ecommerce_Website_-_SM_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_SM_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_SM_J|J]] [[Cornucopia_-_Ecommerce_Website_-_SM_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_SM_K|K]] [[Cornucopia_-_Ecommerce_Website_-_SM_A|A]]</span>

== <span style="padding:5px;background:#d9c049;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AZ|<span style="color:white;">Authorization (AZ)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AZ_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AZ_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AZ_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AZ_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AZ_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AZ_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AZ_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AZ_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AZ_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AZ_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AZ_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AZ_A|A]]</span>

== <span style="padding:5px;background:#a395ca;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_CR|<span style="color:white;">Cryptography (CR)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_CR_2|2]] [[Cornucopia_-_Ecommerce_Website_-_CR_3|3]] [[Cornucopia_-_Ecommerce_Website_-_CR_4|4]] [[Cornucopia_-_Ecommerce_Website_-_CR_5|5]] [[Cornucopia_-_Ecommerce_Website_-_CR_6|6]] [[Cornucopia_-_Ecommerce_Website_-_CR_7|7]] [[Cornucopia_-_Ecommerce_Website_-_CR_8|8]] [[Cornucopia_-_Ecommerce_Website_-_CR_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_CR_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_CR_J|J]] [[Cornucopia_-_Ecommerce_Website_-_CR_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_CR_K|K]] [[Cornucopia_-_Ecommerce_Website_-_CR_A|A]]</span>

== <span style="padding:5px;background:#17365d;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_C|<span style="color:white;">Cornucopia (C)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_C_2|2]] [[Cornucopia_-_Ecommerce_Website_-_C_3|3]] [[Cornucopia_-_Ecommerce_Website_-_C_4|4]] [[Cornucopia_-_Ecommerce_Website_-_C_5|5]] [[Cornucopia_-_Ecommerce_Website_-_C_6|6]] [[Cornucopia_-_Ecommerce_Website_-_C_7|7]] [[Cornucopia_-_Ecommerce_Website_-_C_8|8]] [[Cornucopia_-_Ecommerce_Website_-_C_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_C_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_C_J|J]] [[Cornucopia_-_Ecommerce_Website_-_C_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_C_K|K]] [[Cornucopia_-_Ecommerce_Website_-_C_A|A]]</span>

== <span style="padding:5px;background:#fbbb7b;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_W|<span style="color:white;">Wild Card (W)</span>]]</span> ==

<span style="font-size:125%;">[[Cornucopia_-_Ecommerce_Website_-_W_Joker_A|Joker (A)]]<span style="letter-spacing: 0.15em;"> </span>[[Cornucopia_-_Ecommerce_Website_-_W_Joker_B|Joker (B)]]</span>

[[Category: Attack]] [[Category: Threat_Modeling]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

Cornucopia - Ecommerce Website Edition - Wiki Deck

2016-01-21T17:05:45Z

Dariodf:

__NOTOC__
Wiki card deck conceived and created by Darío De Filippis.

= Versioning =

This wiki deck relates to version 1.10 EN of [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia] Ecommerce Website Edition (currently the only edition). The cards are available in other formats (DOC, PDF, print) from the main project pages.

The cross-references relate to the following versions of other OWASP and external resources:

* OWASP SCP [[OWASP_Secure_Coding_Practices_Checklist]] v2
* OWASP ASVS [[OWASP_Application_Security_Verification_Standard]] v2 (2014)
* OWASP AppSensor [[OWASP_AppSensor_DetectionPoints]]
* CAPEC [https://capec.mitre.org Mitre Common Attack Pattern Enumeration and Classification] v1.7.1
* SAFECode [[SAFECode_Practical_Security_Stories|SAFECode Practical Security Stories and Security Tasks for Agile Development Environments]] July 2012

= Deck =

== <span style="padding:5px;background:#929292;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_VE|<span style="color:white;">Data validation and encoding (VE)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_VE_2|2]] [[Cornucopia_-_Ecommerce_Website_-_VE_3|3]] [[Cornucopia_-_Ecommerce_Website_-_VE_4|4]] [[Cornucopia_-_Ecommerce_Website_-_VE_5|5]] [[Cornucopia_-_Ecommerce_Website_-_VE_6|6]] [[Cornucopia_-_Ecommerce_Website_-_VE_7|7]] [[Cornucopia_-_Ecommerce_Website_-_VE_8|8]] [[Cornucopia_-_Ecommerce_Website_-_VE_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_VE_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_VE_J|J]] [[Cornucopia_-_Ecommerce_Website_-_VE_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_VE_K|K]] [[Cornucopia_-_Ecommerce_Website_-_VE_A|A]]</span>

== <span style="padding:5px;background:#73abcc;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AT|<span style="color:white;">Authentication (AT)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AT_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AT_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AT_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AT_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AT_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AT_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AT_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AT_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AT_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AT_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AT_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AT_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AT_A|A]]</span>

== <span style="padding:5px;background:#98c477;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_SM|<span style="color:white;">Session management (SM)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_SM_2|2]] [[Cornucopia_-_Ecommerce_Website_-_SM_3|3]] [[Cornucopia_-_Ecommerce_Website_-_SM_4|4]] [[Cornucopia_-_Ecommerce_Website_-_SM_5|5]] [[Cornucopia_-_Ecommerce_Website_-_SM_6|6]] [[Cornucopia_-_Ecommerce_Website_-_SM_7|7]] [[Cornucopia_-_Ecommerce_Website_-_SM_8|8]] [[Cornucopia_-_Ecommerce_Website_-_SM_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_SM_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_SM_J|J]] [[Cornucopia_-_Ecommerce_Website_-_SM_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_SM_K|K]] [[Cornucopia_-_Ecommerce_Website_-_SM_A|A]]</span>

== <span style="padding:5px;background:#d9c049;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_AZ|<span style="color:white;">Authorization (AZ)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_AZ_2|2]] [[Cornucopia_-_Ecommerce_Website_-_AZ_3|3]] [[Cornucopia_-_Ecommerce_Website_-_AZ_4|4]] [[Cornucopia_-_Ecommerce_Website_-_AZ_5|5]] [[Cornucopia_-_Ecommerce_Website_-_AZ_6|6]] [[Cornucopia_-_Ecommerce_Website_-_AZ_7|7]] [[Cornucopia_-_Ecommerce_Website_-_AZ_8|8]] [[Cornucopia_-_Ecommerce_Website_-_AZ_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_AZ_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_J|J]] [[Cornucopia_-_Ecommerce_Website_-_AZ_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_AZ_K|K]] [[Cornucopia_-_Ecommerce_Website_-_AZ_A|A]]</span>

== <span style="padding:5px;background:#a395ca;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_CR|<span style="color:white;">Cryptography (CR)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_CR_2|2]] [[Cornucopia_-_Ecommerce_Website_-_CR_3|3]] [[Cornucopia_-_Ecommerce_Website_-_CR_4|4]] [[Cornucopia_-_Ecommerce_Website_-_CR_5|5]] [[Cornucopia_-_Ecommerce_Website_-_CR_6|6]] [[Cornucopia_-_Ecommerce_Website_-_CR_7|7]] [[Cornucopia_-_Ecommerce_Website_-_CR_8|8]] [[Cornucopia_-_Ecommerce_Website_-_CR_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_CR_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_CR_J|J]] [[Cornucopia_-_Ecommerce_Website_-_CR_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_CR_K|K]] [[Cornucopia_-_Ecommerce_Website_-_CR_A|A]]</span>

== <span style="padding:5px;background:#17365d;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_C|<span style="color:white;">Cornucopia (C)</span>]]</span> ==

<span style="font-size:125%;letter-spacing: 0.15em;">[[Cornucopia_-_Ecommerce_Website_-_C_2|2]] [[Cornucopia_-_Ecommerce_Website_-_C_3|3]] [[Cornucopia_-_Ecommerce_Website_-_C_4|4]] [[Cornucopia_-_Ecommerce_Website_-_C_5|5]] [[Cornucopia_-_Ecommerce_Website_-_C_6|6]] [[Cornucopia_-_Ecommerce_Website_-_C_7|7]] [[Cornucopia_-_Ecommerce_Website_-_C_8|8]] [[Cornucopia_-_Ecommerce_Website_-_C_9|9]] <span style="letter-spacing: 0;">[[Cornucopia_-_Ecommerce_Website_-_C_10|10]]</span> [[Cornucopia_-_Ecommerce_Website_-_C_J|J]] [[Cornucopia_-_Ecommerce_Website_-_C_Q|Q]] [[Cornucopia_-_Ecommerce_Website_-_C_K|K]] [[Cornucopia_-_Ecommerce_Website_-_C_A|A]]</span>

== <span style="padding:5px;background:#fbbb7b;font-weight:bold;"> [[Cornucopia_-_Ecommerce_Website_-_W|<span style="color:white;">Wild Card (W)</span>]]</span> ==

<span style="font-size:125%;">[[Cornucopia_-_Ecommerce_Website_-_W_Joker_A|Joker (A)]]<span style="letter-spacing: 0.15em;"> </span>[[Cornucopia_-_Ecommerce_Website_-_W_Joker_B|Joker (B)]]</span>

[[Category: Attack]] [[Category: Threat_Modeling]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

Cornucopia - Ecommerce Website - W Joker B

2016-01-21T16:32:24Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#fbbb7b;">Cornucopia - Ecommerce Website - WC J</span>}}
[[File:Cornucopia_-_Ecommerce_Website_W_Joker_B.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_W|Wild Card]]

'''Card/Value:''' Joker

=== Description: ===

Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates.

=== Technical Note: ===

Most ecommerce applications will be subject to various legal, regulatory, contractual or other organizational mandates. These are likely to include requirements for data protection/privacy and payment card security. An unapproved change, or application compromise, could mean the ecommerce application is no longer in compliance, or that compliance reporting requirements change. Some examples are:
* An undocumented installed component has a vulnerability announced.
* The server hosting the ecommerce application makes an unapproved connection to another system.
* The fully outsourced payment form template is modified to include code from the merchant's server.
* Personal data relating to an individual is used for a purpose the individual has not consented to.
* An unauthorised change to configuration data such that some component/service is no longer configured adequately.
* Unapproved/insecure services/applications are installed/enabled.
* The terms of service, or privacy statement, are modified without approval.
* Personal data is inadvertently mixed with business contact data.
* A scheduled process is accidentally disabled so that quarterly data destruction is stopped, meaning the application no longer complies with the data retention and disposal policy.

Consider:
* What could change that affects compliance?
* How will the application detect this?
* What is the incident response process for these?

=== References: ===

Examine vulnerabilities and discover how they can be fixed using training applications in the free OWASP Broken Web Applications VM, or using the online challenges in the free Hacking Lab.

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_W_Joker_A|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_W|Wild Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_VE_2|Next Card »]] </div>

Cornucopia - Ecommerce Website - W Joker A

2016-01-21T16:31:55Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#fbbb7b;">Cornucopia - Ecommerce Website - W J</span>}}
[[File:Cornucopia_-_Ecommerce_Website_W_Joker_A.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_W|Wild Card]]

'''Card/Value:''' Joker

=== Description: ===

Alice can utilize the application to attack users' systems and data.

=== Technical Note: ===

Consider how the application's normal functionality might be used to the disbenefit of another application, of some or all users, of another party, or even of society. This may include:
* Performing denial of service.
* Hosting/distribution of unapproved content (e.g. videos, photos, malware).
* Generating of spam messages.
* Hosting unapproved application code (e.g. as a command and control server, or as a bot).
* Reflecting an attack against another system.
* Attacking another internal system (e.g. databases, internal network).

=== References: ===

Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP’s work.

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_A|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_W|Wild Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_W_Joker_B|Next Card »]] </div>

Cornucopia - Ecommerce Website - C A

2016-01-21T16:31:31Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C A</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_A.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' A

=== Description: ===

You have invented a new attack of any type.

=== Technical Note: ===

Players can discuss any type of attack they think might be possible against the assessment target. It does not matter if the attack relates to another suit or any other card, but if possible try to identify an attack that is fairly unique to the application/functionality/users.

=== References: ===

Read more about application security in OWASP’s free Guides on Requirements, Development, Code Review and Testing, the Cheat Sheet series, and the Open Software Assurance Maturity Model.

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_K|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_W_Joker_A|Next Card »]] </div>

Cornucopia - Ecommerce Website - C K

2016-01-21T16:31:20Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C K</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_K.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' K

=== Description: ===

Gareth can utilize the application to deny service to some or all of its users.

=== Technical Note: ===

Application-layer denial of service and other activities that adversely affect the application's users. Includes:
* Account lockout.
* Spamming.
* Excessive resource consumption.
* Scalping.
* Sniping.

Must involve the ecommerce application in the attack and thus excludes HTTP DoS (e.g. flood attacks, slow attacks).

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#41|41]]</td>
<td>-</td>
<td>[[AppSensor_DetectionPoints#UT1|UT1]]</td>
<td>[https://capec.mitre.org/data/definitions/2.html 2]</td>
<td>[[SAFECode_Practical_Security_Stories#1|1]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#55|55]]</td>
<td></td>
<td>[[AppSensor_DetectionPoints#UT2|UT2]]</td>
<td>[https://capec.mitre.org/data/definitions/25.html 25]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#UT3|UT3]]</td>
<td>[https://capec.mitre.org/data/definitions/119.html 119]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#UT4|UT4]]</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#STE3|STE3]]</td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_Q|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_A|Next Card »]] </div>

Cornucopia - Ecommerce Website - C Q

2016-01-21T16:31:10Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C Q</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_Q.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' Q

=== Description: ===

Jim can undertake malicious, non-normal, actions without real-time detection and response by the application.

=== Technical Note: ===

Consider guidance provided by [[OWASP_AppSensor_Project|OWASP AppSensor real-time application level intrusion detection and response]].

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>-</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.17|4.17]]</td>
<td>[[AppSensor_DetectionPoints|(All)]]</td>
<td>[https://capec.mitre.org/ (All)]</td>
<td>[[SAFECode_Practical_Security_Stories#1|1]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.6|15.6]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#27|27]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.10|15.10]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_K|Next Card »]] </div>

Cornucopia - Ecommerce Website - C Q

2016-01-21T16:31:03Z

Dariodf:

Cornucopia - Ecommerce Website - C 6

2016-01-21T16:30:18Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C 6</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_6.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' 6

=== Description: ===

Aaron can bypass controls because error/exception handling is missing, or is implemented inconsistently or partially, or does not deny access by default (i.e. errors should terminate access/execution), or relies on handling by some other service or system.

=== Technical Note: ===

Ensure all forms of error are handled robustly and consistently (e.g. web server, application server, database server, JavaScript, other interpreters). This encompasses:
* Implement generic error messages and use custom error pages.
* The application should handle application errors and not rely on the server configuration.
* Properly free allocated memory when error conditions occur.
* Error handling logic associated with security controls should deny access by default.
* When exceptions occur, fail securely.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#109|109]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#8.4|8.4]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/54.html 54]</td>
<td>[[SAFECode_Practical_Security_Stories#4|4]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#110|110]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/98.html 98]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#111|111]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/164.html 164]</td>
<td>[[SAFECode_Practical_Security_Stories#23|23]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#112|112]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#155|155]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_5|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_7|Next Card »]] </div>

Cornucopia - Ecommerce Website - C 5

2016-01-21T16:30:02Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C 5</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_5.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' 5

=== Description: ===

Larry can influence the trust other parties including users have in the application, or abuse that trust elsewhere (e.g. in another application).

=== Technical Note: ===

Abuse of trust attacks include:
* Clickjacking.
* Phishing.
* Pharming.
* SSL downgrade/misconfiguration.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>-</td>
<td>-</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/89.html 89]</td>
<td>-</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/103.html 103]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/181.html 181]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/459.html 459]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_4|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_6|Next Card »]] </div>

Cornucopia - Ecommerce Website - C 3

2016-01-21T16:29:42Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#17365d;">Cornucopia - Ecommerce Website - C 3</span>}}
[[File:Cornucopia_-_Ecommerce_Website_C_3.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]]

'''Card/Value:''' 3

=== Description: ===

Andrew can access source code, or decompile, or otherwise access business logic to understand how the application works and any secrets contained.

=== Technical Note: ===

Protect source code repositories and server-side source-code. Consider anti reverse-engineering techniques. Do not include or minimise logic/secrets within code accessible by users.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#134|134]]</td>
<td>-</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/56.html 56]</td>
<td>-</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/189.html 189]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/207.html 207]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/211.html 211]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_C_2|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C|Cornucopia]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_4|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR A

2016-01-21T16:29:25Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR A</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_A.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' A

=== Description: ===

You have invented a new attack against Cryptography.

=== Technical Note: ===

Players can discuss any type of Cryptography (CR) attack they think might be possible against the assessment target. It does not matter if the attack relates to another [[Cornucopia_-_Ecommerce_Website_-_CR|CR]] card, but if possible try to identify an attack that is fairly unique to the application/functionality/users.

=== References: ===

Read more about this topic in OWASP’s free Cheat Sheets on Cryptographic Storage, and Transport Layer Protection.

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_K|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_C_2|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR K

2016-01-21T16:29:13Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR K</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_K.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' K

=== Description: ===

Dan can influence or alter cryptography code/routines (encryption, hashing, digital signatures, random number and GUID generation) and can therefore bypass them.

=== Technical Note: ===

In general, all cryptographic routines should be on the server-side using robust, tested and protected routines.

NB: Unlike other cards in this suit, this CR K relates to an attacker being able to change the executing code. This may be due to inadequate source code control, deployment controls or server protection, but could also be modification of client-side code.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#31|31]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.1|7.1]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/207.html 207]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#101|101]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/211.html 211]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_Q|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_A|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR Q

2016-01-21T16:28:57Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR Q</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_Q.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' Q

=== Description: ===

Randolph can access or predict the master cryptographic secrets.

=== Technical Note: ===

NB: The key concept for this card is '''protection of master cryptographic secrets''', within the application and more widely in management processes.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#35|35]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.3|7.3]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/116.html 116]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#102|102]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/117.html 117]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_K|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR J

2016-01-21T16:28:44Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR J</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_J.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' J

=== Description: ===

Justin can read credentials for accessing internal or external resources, services and others systems because they are stored in an unencrypted format, or saved in the source code.

=== Technical Note: ===

NB: The key concept for this card is '''unencrypted storage of account credentials'''.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#35|35]]</td>
<td>-</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/116.html 116]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#90|90]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#171|171]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#172|172]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_10|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_Q|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 9

2016-01-21T16:28:25Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 9</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_9.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 9

=== Description: ===

Andy can bypass random number generation, random GUID generation, hashing and encryption functions because they have been self-built and/or are weak.

=== Technical Note: ===

NB: The key concept for this card is '''use of weak algorithms/functions''', especially self-built ones.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#60|60]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.6|7.6]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/97.html 97]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#104|104]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.7|7.7]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#105|105]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.8|7.8]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#32|32]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#33|33]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_10|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 8

2016-01-21T16:28:14Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 8</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_8.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 8

=== Description: ===

Eoin can access stored business data (e.g. passwords, session identifiers, PII, cardholder data) because it is not securely encrypted or securely hashed.

=== Technical Note: ===

NB: The key concept for this card is '''protection of stored data'''.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#30|30]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#2.13|2.13]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/31.html 31]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#31|31]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.7|7.7]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/37.html 37]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#70|70]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.8|7.8]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/55.html 55]</td>
<td>[[SAFECode_Practical_Security_Stories#31|31]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#133|133]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#8.10|8.10]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#135|135]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.2|9.2]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_7|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_9|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 6

2016-01-21T16:27:55Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 6</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_6.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 6

=== Description: ===

Romain can read and modify data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems.

=== Technical Note: ===

NB: The key concept for this card is '''lack of encryption''' of data '''in transit''' and/or '''in memory'''.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#36|36]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.2|9.2]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/31.html 31]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#37|37]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#10.2|10.2]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/57.html 57]</td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#143|143]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#10.3|10.3]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/102.html 102]</td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#146|146]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#10.7|10.7]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/158.html 158]</td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#147|147]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/384.html 384]</td>
<td></td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/466.html 466]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_5|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_7|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 5

2016-01-21T16:27:42Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 5</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_5.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 5

=== Description: ===

Kyle can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected).

=== Technical Note: ===

Crypotographic function errors always need to result in rejection. It is also useful to log (associated with the user's identity if possible) and flag these as possibly malicious activity for further analysis, or as input for application intrusion detection systems.

NB: Unlike [[Cornucopia_-_Ecommerce_Website_-_CR|other cards in this suit]], CR 5 assumes that cryptographic functions are in place, however they do not correctly respond to errors.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#103|103]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.2|7.2]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/97.html 97]</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#145|145]]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_4|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_6|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 4

2016-01-21T16:27:24Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 4</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_4.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 4

=== Description: ===

Paulo can access data in transit that is not encrypted, even though the channel is encrypted.

=== Technical Note: ===

Data may be use encryption in transit like Transport Layer Security (TLS). However, an attacker may have legitimate access to this (e.g. viewing SSL content in a web browser). Consider whether the data transmitted also needs to be encrypted itself, not just sent using an encrypted protocol.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#37|37]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.2|9.2]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/185.html 185]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#88|88]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/186.html 186]</td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#143|143]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/187.html 187]</td>
<td>[[SAFECode_Practical_Security_Stories#30|30]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#214|214]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_CR_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_5|Next Card »]] </div>

Cornucopia - Ecommerce Website - CR 2

2016-01-21T16:27:01Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#a395ca;">Cornucopia - Ecommerce Website - CR 2</span>}}
[[File:Cornucopia_-_Ecommerce_Website_CR_2.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]]

'''Card/Value:''' 2

=== Description: ===

Kyun can access data because it has been obfuscated rather than using an approved cryptographic function.

=== Technical Note: ===

There is no substitute for a proper, approved, cryptographic function where data needs to be protected at rest or in transit. Obfuscation is rarely the correct choice. Use standard-sapproved functions and consider all cryptographic management requirements (e.g. key creation, distribution, protection, replacement, retirement).

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#105|105]]</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>[[SAFECode_Practical_Security_Stories#21|21]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#133|133]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#29|29]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#135|135]]</td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_A|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR|Cryptography]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_3|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ A

2016-01-21T16:26:43Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ A</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_A.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' A

=== Description: ===

You have invented a new attack against Authorization.

=== Technical Note: ===

Players can discuss any type of Authorization (AZ) attack they think might be possible against the assessment target. It does not matter if the attack relates to another [[Cornucopia_-_Ecommerce_Website_-_AZ|AZ]] card, but if possible try to identify an attack that is fairly unique to the application/functionality/users.

=== References: ===

Read more about this topic in OWASP’s Development and Testing Guides

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_K|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_CR_2|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ K

2016-01-21T16:26:25Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ K</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_K.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' K

=== Description: ===

Ryan can influence or alter authorization controls and permissions, and can therefore bypass them.

=== Technical Note: ===

Use only trusted system objects, e.g. server side session objects, for making access authorization decisions. Restrict access to user and data attributes and policy information used by access controls. Server side implementation and presentation layer representations of access control rules must match.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#77|77]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.9|4.9]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/56.html 56]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#89|89]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.10|4.10]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/207.html 207]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#91|91]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.11|4.11]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/211.html 211]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_Q|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_A|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ J

2016-01-21T16:26:12Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ J</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_J.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' J

=== Description: ===

Dinis can access security configuration information, or access control lists.

=== Technical Note: ===

Restrict access security-relevant configuration information to only appropriate authorized users.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#89|89]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.10|4.10]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/75.html 75]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#90|90]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#7.3|7.3]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/133.html 133]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#13.2|13.2]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/203.html 203]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_10|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_Q|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ Q

2016-01-21T16:26:00Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ Q</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_Q.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' Q

=== Description: ===

Christopher can inject a command that the application will run at a higher privilege level.

=== Technical Note: ===

Firstly apply appropriate [[Cornucopia_-_Ecommerce_Website_-_VE|input validation and encoding]]. In cases where the application must run with elevated privileges, raise privileges as late as possible, and drop them as soon as possible.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#209|209]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#5.12|5.12]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/17.html 17]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.7|15.7]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/30.html 30]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/69.html 69]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/234.html 234]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_K|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ J

2016-01-21T16:25:48Z

Dariodf:

Cornucopia - Ecommerce Website - AZ J

2016-01-21T16:25:41Z

Dariodf:

Cornucopia - Ecommerce Website - AZ 10

2016-01-21T16:25:31Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 10</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_10.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 10

=== Description: ===

Richard can bypass the centralized authorization controls since they are not being used comprehensively on all interactions.

=== Technical Note: ===

Centralized authorization routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. Such routines can be tested independently of other code and not only provide assurance on the quality, but it make refactorization an easy task and eliminate code duplicates and bad interpretations.

Server side implementation and presentation layer representations of access control rules must match.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#78|78]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>[[AppSensor_DetectionPoints#ACE1|ACE1]]</td>
<td>[https://capec.mitre.org/data/definitions/36.html 36]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#91|91]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.12|4.12]]</td>
<td>[[AppSensor_DetectionPoints#ACE2|ACE2]]</td>
<td>[https://capec.mitre.org/data/definitions/95.html 95]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#ACE3|ACE3]]</td>
<td>[https://capec.mitre.org/data/definitions/121.html 121]</td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td>[[AppSensor_DetectionPoints#ACE4|ACE4]]</td>
<td>[https://capec.mitre.org/data/definitions/179.html 179]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_9|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_J|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 7

2016-01-21T16:24:38Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 7</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_7.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 7

=== Description: ===

Yuanjing can access application functions, objects, or properties he is not authorized to access.

=== Technical Note: ===

Implement least privilege, and restrict users to only the functionality, objects and properties that are required to perform their tasks.

NB: the key concept for this card is applying function/object/property authorization controls. See [[Cornucopia_-_Ecommerce_Website_-_AZ_5|AZ 5]] for resource type controls, and [[Cornucopia_-_Ecommerce_Website_-_AZ_6|AZ 6]] for data controls.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#81|81]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>[[AppSensor_DetectionPoints#ACE1|ACE1]]</td>
<td>[https://capec.mitre.org/data/definitions/122.html 122]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#85|85]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.2|4.2]]</td>
<td>[[AppSensor_DetectionPoints#ACE2|ACE2]]</td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#86|86]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.3|4.3]]</td>
<td>[[AppSensor_DetectionPoints#ACE3|ACE3]]</td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#131|131]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.4|4.4]]</td>
<td>[[AppSensor_DetectionPoints#ACE4|ACE4]]</td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.7|15.7]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_6|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_8|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 6

2016-01-21T16:24:28Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 6</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_6.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 6

=== Description: ===

Eduardo can access data he does not have permission to, even though he has permission to the form/page/URL/entry point.

=== Technical Note: ===

Even though a user may be permitted access to a particular page, the contents of that page should also verify access control privileges. For example, a user should be able to edit their own profile text, but not that for another user. Implement least privilege, and restrict users to only the data and system information that are required to perform their tasks.

NB: the key concept for this card is applying authorization controls at the data level. See [[Cornucopia_-_Ecommerce_Website_-_AZ_5|AZ 5]] for resource types controls, and [[Cornucopia_-_Ecommerce_Website_-_AZ_7|AZ 7]] for function/object/property controls.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#81|81]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>[[AppSensor_DetectionPoints#ACE1|ACE1]]</td>
<td>[https://capec.mitre.org/data/definitions/122.html 122]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#88|88]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.3|4.3]]</td>
<td>[[AppSensor_DetectionPoints#ACE2|ACE2]]</td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#131|131]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.4|4.4]]</td>
<td>[[AppSensor_DetectionPoints#ACE3|ACE3]]</td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.7|15.7]]</td>
<td>[[AppSensor_DetectionPoints#ACE4|ACE4]]</td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_5|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_7|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 4

2016-01-21T16:24:04Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 4</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_4.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 4

=== Description: ===

Kelly can bypass authorization controls because they do not fail securely (i.e. they default to allowing access).

=== Technical Note: ===

Once an authorization failure is detected, access needs to be blocked. It is also useful to log (associated with the user's identity if possible) and flag these as possibly malicious activity for further analysis, or as input for application intrusion detection systems.

NB: the key concept for this card is permitting access, even though authorization checks were undertaken and detected a failure. See [[Cornucopia_-_Ecommerce_Website_-_AT_8|AT 8]] for the similar authentication failure.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#79|79]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.8|4.8]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/122.html 122]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#80|80]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_5|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 3

2016-01-21T16:23:53Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 3</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_3.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 3

=== Description: ===

Christian can access information, which they should not have permission to, through another mechanism that does have permission (e.g. search indexer, logger, reporting), or because it is cached, or kept for longer than necessary, or other information leakage.

=== Technical Note: ===

The attacker themselves is not permitted direct acecss, but has access to something, that had or has access to information. Consider all accounts/roles and what access privileges they have, and whether a user in one role can utilise another role. Create an Access Control Policy to document an application's business rules, data types and access authorization criteria and/or processes so that access can be properly provisioned and controlled. This includes identifying access requirements for both the data and system resources.

This card also includes considerations of access to residual information such as cached data, data stored temporarily, and the inadequate deletion of information that is no longer required (and has passed its required retention period).

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#51|51]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.1|4.1]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/69.html 69]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#100|100]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#8.10|8.10]]</td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/213.html 213]</td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#135|135]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.1|9.1]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#139|139]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.2|9.2]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#140|140]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.3|9.3]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#141|141]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.4|9.4]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#150|150]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#9.5|9.5]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#9.6|9.6]]</td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#17.18|17.18]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AZ_2|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_4|Next Card »]] </div>

Cornucopia - Ecommerce Website - AZ 2

2016-01-21T16:23:41Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#d9c049;">Cornucopia - Ecommerce Website - AZ 2</span>}}
[[File:Cornucopia_-_Ecommerce_Website_AZ_2.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]]

'''Card/Value:''' 2

=== Description: ===

Tim can influence where data is sent or forwarded to.

=== Technical Note: ===

Users must not be able to define unauthorised virtual locations/addresses such as:
* Database table names.
* File system paths.
* Alert SMS or email messages.
* URL paths.

All such properties must be defined by the ecommerce application itself, or drawn from a valid list of locations permitted for the user and their role.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr>
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>
<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#44|44]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.3|4.3]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/153.html 153]</td>
<td>[[SAFECode_Practical_Security_Stories#8|8]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#15.7|15.7]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#10|10]]</td>
</tr>
<tr>
<td></td>
<td>[[OWASP_Application_Security_Verification_Standard#16.1|16.1]]</td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#11|11]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_A|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ|Authorization]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_3|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM A

2016-01-21T16:23:31Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM A</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_A.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' A

=== Description: ===

You have invented a new attack against Session Management

=== Technical Note: ===

Players can discuss any type of Session Management (SM) attack they think might be possible against the assessment target. It does not matter if the attack relates to another [[Cornucopia_-_Ecommerce_Website_-_SM|SM]] card, but if possible try to identify an attack that is fairly unique to the application/functionality/users.

=== References: ===

Read more about this topic in OWASP’s free Cheat Sheets on Session Management, and Cross Site Request Forgery (CSRF) Prevention

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_K|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AZ_2|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM K

2016-01-21T16:23:10Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM K</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_K.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' K

=== Description: ===

Peter can bypass the session management controls because they have been self-built and/or are weak, instead of using a standard framework or approved tested module.

=== Technical Note: ===

Centralized session management routines are a good programming practice, but like other routines, developers need to understand how they work, how to use them and any limitations. These should preferably be the framework's in-built session management support. If third party session management libraries are used, it is important to test each routine before its implementation.

NB: This relates to what session management routines to use. See [[Cornucopia_-_Ecommerce_Website_-_SM_Q|SM Q]] for application-wide coverage.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#58|58]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#3.1|3.1]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/21.html 21]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#60|60]]</td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#28|28]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_Q|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_A|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM Q

2016-01-21T16:22:56Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM Q</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_Q.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' Q

=== Description: ===

Salim can bypass session management because it is not applied comprehensively and consistently across the application.

=== Technical Note: ===

Every part of the application and type of request should verify that the user has a valid current session (if required) and thus their privileges, before undertaking any other data validation and processing.

NB: This relates to application-wide session management control. See [[Cornucopia_-_Ecommerce_Website_-_SM_K|SM K]] for what session management routines to use.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#58|58]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#3.1|3.1]]</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/21.html 21]</td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>

<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#28|28]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_K|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM J

2016-01-21T16:22:37Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM J</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_J.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' J

=== Description: ===

Jeff can resend an identical repeat interaction (e.g. HTTP request, signal, button press) and it is accepted, not rejected.

=== Technical Note: ===

The key concept for this card is replay of a previous event.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>-</td>
<td>[[OWASP_Application_Security_Verification_Standard#15.2|15.2]]</td>
<td>[[AppSensor_DetectionPoints#IE5|IE5]]</td>
<td>[https://capec.mitre.org/data/definitions/60.html 60]</td>
<td>[[SAFECode_Practical_Security_Stories#12|12]]</td>
</tr>

<tr>
<td></td>
<td></td>
<td></td>
<td></td>
<td>[[SAFECode_Practical_Security_Stories#14|14]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_10|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_Q|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM 10

2016-01-21T16:22:01Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 10</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_10.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' 10

=== Description: ===

Marce can forge requests because per-session, or per-request for more critical actions, strong random tokens (i.e. anti-CSRF tokens) or similar are not being used for actions that change state.

=== Technical Note: ===

Consider supplementing standard session management with:
* Per-session strong random tokens or parameters.
* Per-request, as opposed to per-session, strong random tokens or parameters.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#73|73]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#4.16|4.16]]</td>
<td>[[AppSensor_DetectionPoints#IE4|IE4]]</td>
<td>[https://capec.mitre.org/data/definitions/62.html 62]</td>
<td>[[SAFECode_Practical_Security_Stories#18|18]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#74|74]]</td>
<td></td>
<td></td>
<td>[https://capec.mitre.org/data/definitions/111.html 111]</td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_9|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_J|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM 9

2016-01-21T16:21:49Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 9</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_9.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' 9

=== Description: ===

Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible unnecessarily by code which the attacker can influence or alter.

=== Technical Note: ===

Protect session identifiers as if they are account credentials. For HTTP cookies:
* Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value.
* Set the 'secure' attribute for cookies transmitted over an TLS connection.
* Consider making the whole ecommerce website 'SSL-only', adding the HTTP Strict Transport Security (HSTS) header and adding the domain to web browser pre-load lists.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#69|69]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#3.6|3.6]]</td>
<td>[[AppSensor_DetectionPoints#SE4|SE4]]</td>
<td>[https://capec.mitre.org/data/definitions/31.html 31]</td>
<td>[[SAFECode_Practical_Security_Stories#28|28]]</td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#75|75]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#3.14|3.14]]</td>
<td>[[AppSensor_DetectionPoints#SE5|SE5]]</td>
<td>[https://capec.mitre.org/data/definitions/60.html 60]</td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#76|76]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#3.15|3.15]]</td>
<td>[[AppSensor_DetectionPoints#SE6|SE6]]</td>
<td></td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#119|119]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#8.10|8.10]]</td>
<td></td>
<td></td>
<td></td>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#138|138]]</td>
<td>[[OWASP_Application_Security_Verification_Standard#10.3|10.3]]</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_10|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM 8

2016-01-21T16:21:40Z

Dariodf:

{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 8</span>}}
[[File:Cornucopia_-_Ecommerce_Website_SM_8.png|frame|right]]
'''Suit:''' [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]]

'''Card/Value:''' 8

=== Description: ===

Matt can abuse long sessions because the application does not require periodic re-authentication to check if privileges have changed.

=== Technical Note: ===

A user's privileges may change during a session. If this information is also stored in session data, it will not reflect the changes. Consider forcing re-authentication.

See Authentication [[Cornucopia_-_Ecommerce_Website_-_AT_9|AT 9]] for other re-authentication requirements.

=== References: ===

<table class="wikitable" style="text-align:center;">
<tr class="tableizer-firstrow">
<th>OWASP SCP</th>
<th>OWASP ASVS</th>
<th>OWASP AppSensor</th>
<th>CAPEC</th>
<th>SAFECODE</th>
</tr>

<tr>
<td>[[OWASP_Secure_Coding_Practices_Checklist#96|96]]</td>
<td>-</td>
<td>-</td>
<td>[https://capec.mitre.org/data/definitions/21.html 21]</td>
<td>[[SAFECode_Practical_Security_Stories#28|28]]</td>
</tr>
</table>

<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_7|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_9|Next Card »]] </div>

Cornucopia - Ecommerce Website - SM 8

2016-01-21T16:21:32Z

Dariodf: