This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Vulnerable Remember Password (OTG-AUTHN-005)"

From OWASP
Jump to: navigation, search
 
(8 intermediate revisions by 5 users not shown)
Line 4: Line 4:
 
== Summary ==
 
== Summary ==
  
The remember password function of an application is a self-service password reset/recovery mechanism for users. This self-service mechanism allows users to quickly reset/recover their password without an administrator intervening. Typically, in order to access this functionality the user must enter some form of identification, such as their username or email address.  
+
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user.
 +
Additionally some websites will offer custom "remember me" functionality to allow users to persist log ins on a specific client system.
  
== Test objectives ==
 
  
Evaluate the remember password function's user identification requirements. e.g. username, email address, security question
+
Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.
  
Evaluate the method for how the reset/recovered password is communicated to the user
 
  
Evaluate the logic/workflow for how the password is reset/recovered
+
Additionally where custom "remember me" functions are put in place weaknesses in how the token is stored on the client PC (for example using base64 encoded credentials as the token) could expose the users passwords. Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature. However this can still apply to things like secondary secrets which may be stored in the browser inadvertently.
  
== How to test ==
 
  
# Evaluate the level of identification that is required by the user to trigger a reset/recovery
+
==How to Test ==
# Observe how the reset/recovered password is communicated to the user. e.g. email, rendered by browser
 
# Observe what steps are required to reset/recover password and what can be injected and falsified during this exchange
 
  
=== Example ===
+
* Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed.
 
+
* Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable.
 
+
* Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application. 
 
+
* Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).
== Tools ==
 
 
 
== References ==
 
  
  
 
== Remediation ==
 
== Remediation ==
  
Implement additional identification requirements depending on the risk level. In order from lowest to highest assurance:
+
Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in cookies.
 
 
# username
 
# security question
 
# email address
 
# username and email address and security question
 
# positive identification based on physical attendance of user
 
 
 
Implement additional security to the transfer of the password to the user depending on the risk level. In order from lowest to highest assurance:
 
 
 
# Rendered by browser
 
# Unencrypted email
 
# Manually processed based on positive user identification and physically transferred by certified post or courier to user
 

Latest revision as of 13:26, 5 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Summary

Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user. Additionally some websites will offer custom "remember me" functionality to allow users to persist log ins on a specific client system.


Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.


Additionally where custom "remember me" functions are put in place weaknesses in how the token is stored on the client PC (for example using base64 encoded credentials as the token) could expose the users passwords. Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature. However this can still apply to things like secondary secrets which may be stored in the browser inadvertently.


How to Test

  • Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed.
  • Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable.
  • Verify that the credentials are only sent during the log in phase, and not sent together with every request to the application.
  • Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).


Remediation

Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in cookies.