This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Test time synchronisation (OTG-LOG-001)
Brief Description
Without time synchronization across systems it is impossible to correlate events and actions.
Issue
In the event of a suspected or actual security incident, it will be necessary to aggregate information for all types of system component event logs and audit trails. This information is vital to investigations and forensic testing. If the web servers' time is adrift this can make event correlation much harder and may invalidate the information.
Incorrect time can also affect some business functions provided by applications that are time-dependent (e.g. deadlines for submissions, expiry of offers, time-limited access controls, auction bids). The modification of server time could be used in some attacks.
Example
The HTTP headers returned by https://www.owasp.org/index.php/Main_Page are:
Date: Tue, 15 Oct 2013 14:11:09 GMT Server: Apache X-Frame-Options: Deny X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Language: en Vary: Accept-Encoding,Cookie Expires: Wed, 16 Oct 2013 14:11:09 GMT Cache-Control: max-age=86400 Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 200 OK
If the tester's time is the same (e.g. 14:11 GMT+1) then the time is correctly synchronised. The degree of accuracy is application dependent, but it would be unusual to be more than a minute or so adrift for any server that uses robust reference time sources.
Testing Method
Time should be checked at all locations where the application exposes such information:
- Date HTTP header (as above)
- User-visible audit trail timestamps
- Last modified dates/times displayed after additions or updates are made
- Last logged in data where the time is included as well as the day
- Accessible event logs
Test Tools
Web browser and the ability to examine HTTP headers.
Related Test Cases
None.
References
- Logging Cheat Sheet, OWASP
- SP 800-92 Guide to Computer Security Log Management, NIST
- PCI DSS v2.0 Requirement 10 and PA-DSS v2.0 Requirement 4, PCI Security Standards Council
- NTP: The Network Time Protocol
Remediation
Ensure the application, application servers, web servers and other supporting infrastructure are configured to synchronize their time with trusted reference time sources.