This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AT 3
From OWASP
Suit: Authentication
Card/Value: 3
Description:
Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password.
Technical Note:
Passwords and secrets need protection. Common attacks include:
- Stealing a password/secret in transit (e.g. in an email message, over an unencrypted HTTP connection)
- Observing a password/secret being entered on screen
- Weak password recovery (e.g. reliance only on 'security' questions)
- Use of weak 'remember me' functionality
- Re-use of passwords making them guessable
- Passwords/secrets recorded in logs
- Passwords/secrets exposed in form data/URLs
- Client-side caching or storage of passwords/secrets
- Hard-coding of passwords/secrets into code
- Passwords never changed by user
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 36 | 2.2 | 37 | 28 | |
| 37 | 2.9 | |||
| 40 | 2.16 | |||
| 43 | 8.10 | |||
| 48 | 9.1 | |||
| 51 | 9.4 | |||
| 119 | 9.5 | |||
| 139 | ||||
| 140 | ||||
| 146 |
