Top 10-2017 A2-Broken Authentication - Revision history

T.Gigler: Editorial changes e.g. line feeds, bold or underlined text

2018-01-01T16:24:13Z

Editorial changes e.g. line feeds, bold or underlined text

T.Gigler: Prepare OWASP Top 10-2017 Release (Content)

2017-12-15T23:25:26Z

Prepare OWASP Top 10-2017 Release (Content)

Show changes

T.Gigler: Updated PrevLink and NextLink

2017-12-12T00:19:59Z

Updated PrevLink and NextLink

T.Gigler: T.Gigler moved page Top 10 2017-A2-Broken Authentication and Session Management to Top 10-2017 A2-Broken Authentication: OWASP Top 10-2017 Release

2017-12-11T23:46:00Z

T.Gigler moved page Top 10 2017-A2-Broken Authentication and Session Management to Top 10-2017 A2-Broken Authentication: OWASP Top 10-2017 Release

Neil Smithline at 01:42, 24 April 2017

2017-04-24T01:42:12Z

T.Gigler: set font of example to bold

2017-04-23T21:29:12Z

set font of example to bold

T.Gigler: underlined all links, redefined links to OWASP as internal links, created a link at reference to 2017-A3 and 2017-A6, added and deleted some empty lines

2017-04-23T12:05:56Z

underlined all links, redefined links to OWASP as internal links, created a link at reference to 2017-A3 and 2017-A6, added and deleted some empty lines

Neil Smithline at 23:25, 22 April 2017

2017-04-22T23:25:21Z

Neil Smithline at 23:06, 22 April 2017

2017-04-22T23:06:53Z

Neil Smithline at 19:24, 22 April 2017

2017-04-22T19:24:48Z

@@ Line 21: / Line 21: @@
      <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Threat Agent: --->
-Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens. </td>
+Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.</td>
-     <td colspan=2  {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
+     <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Security Weakness: --->
- The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks. </td>
+The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications.<br/>Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks.</td>
-     <td colspan=2  {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
+     <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}>
 <!--- Impacts: --->
- Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information. </td>
+Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.</td>
 {{Top_10_2010:SummaryTableEndTemplate|year=2017}}
@@ Line 38: / Line 38: @@
 * Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“.
 * Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers", which cannot be made safe.
-* Uses plain text, encrypted, or weakly hashed passwords (see <b>A3:2017-Sensitive Data Exposure</b>).
+* Uses plain text, encrypted, or weakly hashed passwords (see <u><b>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_A3-{{Top_10_2010:ByTheNumbers|3|year=2017|language=en}} | A3:2017-{{Top_10_2010:ByTheNumbers|3|year=2017|language=en}}]]</b></u>).
 * Has missing or ineffective multi-factor authentication.
 * Exposes Session IDs in the URL (e.g., URL rewriting).
@@ Line 65: / Line 65: @@
 * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V2 Authentication]]</u>
 * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V3 Session Management]]</u>
-* <u>[[Testing_Identity_Management|OWASP Testing Guide: Identity]]</u> and <u>[[Testing_for_authentication|Authentication]]</u>
+* <u>[[Testing_Identity_Management|OWASP Testing Guide: Identity]]</u>, <u>[[Testing_for_authentication|Authentication]]</u>
 * <u>[[Authentication_Cheat_Sheet|OWASP Cheat Sheet: Authentication]]</u>
 * <u>[[Credential_Stuffing_Prevention_Cheat_Sheet|OWASP Cheat Sheet: Credential Stuffing]]</u>
@@ Line 73: / Line 73: @@
 {{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}}
-* <u>[https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret NIST 800-63b: 5.1.1 Memorized Secrets]</u> - for thorough, modern, evidence-based advice on authentication.
+* <u>[https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret NIST 800-63b: 5.1.1 Memorized Secrets]</u>
 * <u>[https://cwe.mitre.org/data/definitions/287.html CWE-287: Improper Authentication]</u>
 * <u>[https://cwe.mitre.org/data/definitions/384.html CWE-384: Session Fixation]</u>

@@ Line 1: / Line 1: @@
 {{Top_10_2013:TopTemplate
-     |usenext=2013NextLink
+     |usenext=2017NextLink
      |next=A3-{{Top_10_2010:ByTheNumbers
                |3
                |year=2017
                |language=en}}
-     |useprev=2013PrevLink
+     |useprev=2017PrevLink
      |prev=A1-{{Top_10_2010:ByTheNumbers
                |1

@@ Line 64: / Line 64: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2017|language=en}}
 <u>'''Scenario #1:'''</u> Airline reservations application supports URL rewriting, putting session IDs in the URL:
-{{Top_10_2010:ExampleBeginTemplate|year=2017}}<b><nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">?sessionid=268544541</span>&dest=Hawaii</b>
+{{Top_10_2010:ExampleBeginTemplate|year=2017}}<b><nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">;<br/>sessionid=268544541</span>&dest=Hawaii</b>
 {{Top_10_2010:ExampleEndTemplate|year=2017}}
 An authenticated user of the site wants to let their friends know about the sale. User e-mails the above link without knowing they are also giving away their session ID. When the friends use the link they use user’s session and credit card.

@@ Line 64: / Line 64: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2017|language=en}}
 <u>'''Scenario #1:'''</u> Airline reservations application supports URL rewriting, putting session IDs in the URL:
-{{Top_10_2010:ExampleBeginTemplate|year=2017}}<nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">?sessionid=268544541</span>&dest=Hawaii
+{{Top_10_2010:ExampleBeginTemplate|year=2017}}<b><nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">?sessionid=268544541</span>&dest=Hawaii</b>
 {{Top_10_2010:ExampleEndTemplate|year=2017}}
 An authenticated user of the site wants to let their friends know about the sale. User e-mails the above link without knowing they are also giving away their session ID. When the friends use the link they use user’s session and credit card.

@@ Line 42: / Line 42: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=2|year=2017|language=en}}
 Are session management assets like user credentials and session IDs properly protected? You may be vulnerable if:
-# User authentication credentials aren’t properly protected when stored using hashing or encryption. See 2017-A6.
+# User authentication credentials aren’t properly protected when stored using hashing or encryption. See <u>[[{{Top_10:LanguageFile|text=documentRootTop10|language=en|year=2017 }}-A6-{{Top_10_2010:ByTheNumbers|6|year=2017|language=en}}|2017-A6]]</u>.
 # Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs).
 # Session IDs are exposed in the URL (e.g., URL rewriting).
-#  Session IDs are vulnerable to [[Session_fixation | session fixation]] attacks.
+# Session IDs are vulnerable to <u>[[Session_fixation | session fixation]]</u> attacks.
 # Session IDs don’t timeout, or user sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout.
 # Session IDs aren’t rotated after successful login.
-# Passwords, session IDs, and other credentials are sent over unencrypted connections. See 2017-A6.
+# Passwords, session IDs, and other credentials are sent over unencrypted connections. See <u>[[{{Top_10:LanguageFile|text=documentRootTop10|language=en|year=2017 }}-A6-{{Top_10_2010:ByTheNumbers|6|year=2017|language=en}}|2017-A6]]</u>.
-See the [[ASVS]] requirement areas V2 and V3 for more details.
+See the <u>[[ASVS]]</u> requirement areas V2 and V3 for more details.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=2|year=2017|language=en}}
@@ Line 57: / Line 56: @@
 <li>'''A single set of strong authentication and session management controls.''' Such controls should strive to:
 <ol type="a">
-<li>meet all the authentication and session management requirements defined in OWASP’s [https://www.owasp.org/index.php/ASVS Application Security Verification Standard (ASVS)] areas V2 (Authentication) and V3 (Session Management).</li>
+<li>meet all the authentication and session management requirements defined in OWASP’s <u>[[ASVS|Application Security Verification Standard (ASVS)]]</u> areas V2 (Authentication) and V3 (Session Management).</li>
-<li>have a simple interface for developers. Consider the [https://static.javadoc.io/org.owasp.esapi/esapi/2.1.0.1/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs] as good examples to emulate, use, or build upon.</li>
+<li>have a simple interface for developers. Consider the <u>[https://static.javadoc.io/org.owasp.esapi/esapi/2.1.0.1/org/owasp/esapi/Authenticator.html ESAPI Authenticator and User APIs]</u> as good examples to emulate, use, or build upon.</li>
 </ol>
 </li>
-<li>Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See 2017-A3.</li>
+<li>Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See <u>[[{{Top_10:LanguageFile|text=documentRootTop10|language=en|year=2017 }}-A3-{{Top_10_2010:ByTheNumbers|3|year=2017|language=en}}|2017-A3]]</u>.</li>
 </ol>
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=2|year=2017|language=en}}
-'''Scenario #1:''' Airline reservations application supports URL rewriting, putting session IDs in the URL:
+<u>'''Scenario #1:'''</u> Airline reservations application supports URL rewriting, putting session IDs in the URL:
 {{Top_10_2010:ExampleBeginTemplate|year=2017}}<nowiki>h</nowiki>ttp://example.com/sale/saleitems<span style="color: red;">?sessionid=268544541</span>&dest=Hawaii
 {{Top_10_2010:ExampleEndTemplate|year=2017}}
 An authenticated user of the site wants to let their friends know about the sale. User e-mails the above link without knowing they are also giving away their session ID. When the friends use the link they use user’s session and credit card.
 '''Scenario #2''': Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and that browser is still authenticated.
-'''Scenario #3''': An insider or external attacker gains access to the system’s password database. User passwords are not properly hashed and salted, exposing every users’ password.
+<u>'''Scenario #2''':</u> Application’s timeouts aren’t set properly. User uses a public computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and that browser is still authenticated.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=2|year=2017|language=en}}
 {{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017}}<br/>
-For a more complete set of requirements and problems to avoid in this area, see the [[ASVS | ASVS requirements areas for Authentication (V2) and Session Management (V3)]].
+For a more complete set of requirements and problems to avoid in this area, see the <u>[[ASVS | ASVS requirements areas for Authentication (V2) and Session Management (V3)]]</u>.
-* [[Authentication_Cheat_Sheet | OWASP Authentication Cheat Sheet]]
+* <u>[[Authentication_Cheat_Sheet | OWASP Authentication Cheat Sheet]]</u>
-* [[Forgot_Password_Cheat_Sheet | OWASP Forgot Password Cheat Sheet]]
+* <u>[[Forgot_Password_Cheat_Sheet | OWASP Forgot Password Cheat Sheet]]</u>
-* [[Password_Storage_Cheat_Sheet|OWASP Password Storage Cheat Sheet]]
+* <u>[[Password_Storage_Cheat_Sheet|OWASP Password Storage Cheat Sheet]]</u>
-* [[Session_Management_Cheat_Sheet | OWASP Session Management Cheat Sheet]]
+* <u>[[Session_Management_Cheat_Sheet | OWASP Session Management Cheat Sheet]]</u>
-* [[Testing_for_authentication | OWASP Testing Guide: Chapter on Authentication]]
+* <u>[[Testing_for_authentication | OWASP Testing Guide: Chapter on Authentication]]</u>
 {{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}}
-* [http://cwe.mitre.org/data/definitions/287.html CWE Entry 287 on Improper Authentication]
+* <u>[http://cwe.mitre.org/data/definitions/287.html CWE Entry 287 on Improper Authentication]</u>
-* [http://cwe.mitre.org/data/definitions/384.html CWE Entry 384 on Session Fixation]
+* <u>[http://cwe.mitre.org/data/definitions/384.html CWE Entry 384 on Session Fixation]</u>
 {{Top_10_2013:BottomAdvancedTemplate

← Older revision	Revision as of 23:46, 11 December 2017
(No difference)

@@ Line 15: / Line 15: @@
 {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
-{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=1|detectability=2|impact=1|year=2017|language=en}}
+{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=2|detectability=2|impact=1|year=2017|language=en}}
 {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>