Top 10 2014-I2 Insufficient Authentication/Authorization - Revision history

Yunsoul at 06:58, 5 February 2016

2016-02-05T06:58:04Z

Yunsoul at 05:48, 5 February 2016

2016-02-05T05:48:04Z

Yunsoul at 05:47, 5 February 2016

2016-02-05T05:47:40Z

Craig Smith at 23:01, 1 December 2015

2015-12-01T23:01:00Z

Craig Smith at 00:10, 18 August 2015

2015-08-18T00:10:54Z

Craig Smith at 22:08, 9 February 2015

2015-02-09T22:08:11Z

Craig Smith at 21:48, 9 February 2015

2015-02-09T21:48:11Z

Craig Smith at 21:23, 9 February 2015

2015-02-09T21:23:19Z

Craig Smith at 21:22, 9 February 2015

2015-02-09T21:22:46Z

Craig Smith at 21:12, 9 February 2015

2015-02-09T21:12:44Z

@@ Line 45: / Line 45: @@
 # The app authentication is required
 # The device authentication is required
 # Manage authenicated user id(credential info.) and the user's device id, the user's app id mapping table in the authentication server
 # Ensuring that the authentication token/session key issuing to client is always different

@@ Line 45: / Line 45: @@
 # The app authentication is required
 # The device authentication is required
-# Manage authenicated user id(creadential info.) and the user's device id, the user's app id mapping table in the authentication server
+# Manage authenicated user id(credential info.) and the user's device id, the user's app id mapping table in the authentication server
 # Ensuring that the authentication token/session key issuing to client is always different
 # Ensuring that the user id, app id, device id is universally unique

@@ Line 42: / Line 42: @@
 # Ensuring re-authentication is required for sensitive features
 # Ensuring options are available for configuring password controls
 Please review the following tabs for more detail based on whether you are a [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Manufacturers Manufacturer], [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Developers Developer] or [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=Consumers Consumer]

← Older revision		Revision as of 23:01, 1 December 2015
Line 1:		Line 1:
−	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=~~Top_IoT_Vulnerabilities~~ Back To The Internet of Things Top 10]</center>	+	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__282014_29 Back To The Internet of Things Top 10]</center>

	{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2013\|language=en}}		{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2013\|language=en}}

← Older revision		Revision as of 00:10, 18 August 2015
Line 1:		Line 1:
−	<center>[https://www.owasp.org/index.php/~~OWASP_Internet_of_Things_Top_Ten_Project~~#tab=~~OWASP_Internet_of_Things_Top_10_for_2014~~ Back To The Internet of Things Top 10]</center>	+	<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_IoT_Vulnerabilities Back To The Internet of Things Top 10]</center>

	{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2013\|language=en}}		{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2013\|language=en}}

@@ Line 25: / Line 25: @@
 Checking for Insufficient Authentication includes:
 * Attempting to use simple passwords such as "1234" is a fast and easy way to determine if the password policy is sufficient across all interfaces
-* Manual testing can help identify instances where weak passwords are allowed or credentials are poorly protected
+* Reviewing network traffic to determine if credentials are being transmitted in clear text
-* Testers can validate these issues by conducting dictionary or brute-force attacks against a valid user
+* Reviewing requirements around password controls such as password complexity, password history check, password expiration and forced password reset for new users
 Checking for Insufficient Authorization includes:
 * Reviewing the various interfaces to determine whether the interfaces allow for separation of roles. For example, all features will be accessible to administrators, but users will have a more limited set of features available.
-* Testers can validate these issues by reviewing access controls and testing for privilege escalation
+* Reviewing access controls and testing for privilege escalation
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Make My Authentication/Authorization Better?|position=right|year=2013|language=en}}
@@ Line 39: / Line 40: @@
 # Implement two factor authentication where possible
 # Ensuring that password recovery mechanisms are secure
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}
 '''Scenario #1:''' The interface only requires simple passwords.

@@ Line 56: / Line 56: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}
 {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
 [https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management Top 10 2013-A2-Broken Authentication and Session Management]
 {{Top_10_2010:SubSubsectionExternalReferencesTemplate}}

@@ Line 34: / Line 34: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Make My Authentication/Authorization Better?|position=right|year=2013|language=en}}
 Sufficient authentication/authorization requires:
-# Ensuring complex password construction.
+# Ensuring that the strong passwords are required
-# Ensuring granular access control is in place when necessary.
+# Ensuring granular access control is in place when necessary
-# Ensuring credentials are properly protected.
+# Ensuring credentials are properly protected
 # Implement two factor authentication where possible
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}
 '''Scenario #1:''' The interface only requires simple passwords.
@@ Line 55: / Line 56: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=en}}
 {{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
+[https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management Top 10 2013-A2-Broken Authentication and Session Management]
 {{Top_10_2010:SubSubsectionExternalReferencesTemplate}}