This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10-2017 A2-Broken Authentication"
From OWASP
(Prepare OWASP Top 10-2017 Release (Content)) |
m (Editorial changes e.g. line feeds, bold or underlined text) |
||
| Line 21: | Line 21: | ||
<td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> | ||
<!--- Threat Agent: ---> | <!--- Threat Agent: ---> | ||
| − | Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens. </td> | + | Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.</td> |
| − | <td colspan=2 | + | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> |
<!--- Security Weakness: ---> | <!--- Security Weakness: ---> | ||
| − | + | The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications.<br/>Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks.</td> | |
| − | <td colspan=2 | + | <td colspan=2 {{Template:Top_10_2010:SummaryTableRowStyleTemplate|year=2017}}> |
<!--- Impacts: ---> | <!--- Impacts: ---> | ||
| − | + | Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information.</td> | |
{{Top_10_2010:SummaryTableEndTemplate|year=2017}} | {{Top_10_2010:SummaryTableEndTemplate|year=2017}} | ||
| Line 38: | Line 38: | ||
* Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“. | * Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin“. | ||
* Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers", which cannot be made safe. | * Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers", which cannot be made safe. | ||
| − | * Uses plain text, encrypted, or weakly hashed passwords (see <b>A3:2017- | + | * Uses plain text, encrypted, or weakly hashed passwords (see <u><b>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_A3-{{Top_10_2010:ByTheNumbers|3|year=2017|language=en}} | A3:2017-{{Top_10_2010:ByTheNumbers|3|year=2017|language=en}}]]</b></u>). |
* Has missing or ineffective multi-factor authentication. | * Has missing or ineffective multi-factor authentication. | ||
* Exposes Session IDs in the URL (e.g., URL rewriting). | * Exposes Session IDs in the URL (e.g., URL rewriting). | ||
| Line 65: | Line 65: | ||
* <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V2 Authentication]]</u> | * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V2 Authentication]]</u> | ||
* <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V3 Session Management]]</u> | * <u>[[:Category:OWASP_Application_Security_Verification_Standard_Project#tab=Home|OWASP Application Security Verification Standard: V3 Session Management]]</u> | ||
| − | * <u>[[Testing_Identity_Management|OWASP Testing Guide: Identity]]</u> | + | * <u>[[Testing_Identity_Management|OWASP Testing Guide: Identity]]</u>, <u>[[Testing_for_authentication|Authentication]]</u> |
* <u>[[Authentication_Cheat_Sheet|OWASP Cheat Sheet: Authentication]]</u> | * <u>[[Authentication_Cheat_Sheet|OWASP Cheat Sheet: Authentication]]</u> | ||
* <u>[[Credential_Stuffing_Prevention_Cheat_Sheet|OWASP Cheat Sheet: Credential Stuffing]]</u> | * <u>[[Credential_Stuffing_Prevention_Cheat_Sheet|OWASP Cheat Sheet: Credential Stuffing]]</u> | ||
| Line 73: | Line 73: | ||
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}} | {{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}} | ||
| − | * <u>[https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret NIST 800-63b: 5.1.1 Memorized Secrets]</u> | + | * <u>[https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret NIST 800-63b: 5.1.1 Memorized Secrets]</u> |
* <u>[https://cwe.mitre.org/data/definitions/287.html CWE-287: Improper Authentication]</u> | * <u>[https://cwe.mitre.org/data/definitions/287.html CWE-287: Improper Authentication]</u> | ||
* <u>[https://cwe.mitre.org/data/definitions/384.html CWE-384: Session Fixation]</u> | * <u>[https://cwe.mitre.org/data/definitions/384.html CWE-384: Session Fixation]</u> | ||
Latest revision as of 16:24, 1 January 2018
| Threat Agents / Attack Vectors | Security Weakness | Impacts | |||
|---|---|---|---|---|---|
| App Specific | Exploitability: 3 |
Prevalence: 2 |
Detectability: 2 |
Technical: 3 |
Business ? |
| Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens. |
The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks. |
Attackers have to gain access to only a few accounts, or just one admin account to compromise the system. Depending on the domain of the application, this may allow money laundering, social security fraud, and identity theft, or disclose legally protected highly sensitive information. | |||
|
Is the Application Vulnerable?
Confirmation of the user's identity, authentication, and session management are critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
|
How to Prevent
|
|
Example Attack Scenarios
Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid. Scenario #2: Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements are viewed as encouraging users to use, and reuse, weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication. Scenario #3: Application session timeouts aren't set properly. A user uses a public computer to access an application. Instead of selecting “logout” the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated. |
References
OWASP
External |
