This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - AT 3

From OWASP
Jump to: navigation, search
Cornucopia - Ecommerce Website AT 3.png

Suit: Authentication

Card/Value: 3

Description:

Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password.

Technical Note:

Passwords and secrets need protection. Common attacks include:

  • Stealing a password/secret in transit (e.g. in an email message, over an unencrypted HTTP connection)
  • Observing a password/secret being entered on screen
  • Weak password recovery (e.g. reliance only on 'security' questions)
  • Use of weak 'remember me' functionality
  • Re-use of passwords making them guessable
  • Passwords/secrets recorded in logs
  • Passwords/secrets exposed in form data/URLs
  • Client-side caching or storage of passwords/secrets
  • Hard-coding of passwords/secrets into code
  • Passwords never changed by user

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
36 2.2 37 28
37 2.9
40 2.16
43 8.10
48 9.1
51 9.4
119 9.5
139
140
146


« Previous Card | Authentication | Next Card »