This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Codereview-Authentication"

From OWASP
Jump to: navigation, search
Line 54: Line 54:
  
  
===Unlogical business Logic===
+
===Data validation issues===
  
===Data validation issues===
+
There are many data validation issues relating to authentication which utilises form fields. Inadequate field validation can give rise to the following issues:
 +
 
 +
SQL Injection
 +
Cross Site Scripting

Revision as of 14:50, 1 July 2008

OWASP Code Review Guide Table of Contents


Introduction

The following discusses aspects of source code relating to weak authentication functionality. This could be due to flawed implementation or broken business logic: Authentication is a key line of defence in protecting non-public data, sensitive functionality

Weak Passwords and password functionality

Password strength should be enforced upon a user setting/selecting ones password. Passwords should be complex in composition. Such checks should be done on the backend/server side of the application upon an attempt to submitt a new password.

Bad Example

Simply checking that a password is not NULL is not sufficient:

String password = request.getParameter("Password");
if (password == Null) 
   {throw InvalidPasswordException()
   }

Good Example

Passwords should be checked for the following composition or a variance of such

at least: 1 Upper character (A-Z)
at least: 1 Lower character (a-z)
at least: 1 digit (0-9)
at least one special character (!"£$%&...)
a defined minimum length (8 chars)
a defined maximum length (as with all external input)

no contigous characters (123abcd)
not more than 2 identical characters in a row (1111)

Such rules should be looked for in code and used as soon as the http request is received. The rules can be comples RegEx expressions or logical code statements:

if password.RegEx([a-z])
   and password.RegEx([A-Z])
   and password.RegEx([0-9])
   and password.RegEx({8-30})
   and password.RexEX([!"£$%^&*()])
   return true;
else
return false;


(?=^.{8,30}$)(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()_+}{"":;'?/>.<,]).*$ 


Data validation issues

There are many data validation issues relating to authentication which utilises form fields. Inadequate field validation can give rise to the following issues:

SQL Injection Cross Site Scripting