This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - AT 9"
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 9</span>}} File:Cornucopia_-_Ecommerce_Website_AT_9....") |
|||
| Line 43: | Line 43: | ||
</tr> | </tr> | ||
</table> | </table> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_10|Next Card »]] </div> | <div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_10|Next Card »]] </div> | ||
Latest revision as of 16:19, 21 January 2016
Suit: Authentication
Card/Value: 9
Description:
Claudia can undertake more critical functions because authentication requirements are too weak, or there is no requirement to re-authenticate for these.
Technical Note:
The level of assurance required for confirmation of identity should be assessed. In some cases different levels of authentication may be needed (e.g. two-factor authentication for some users, but not others), and re-authentication should be considered for some important functionality (e.g. changing password, making a payment, deleting an account), especially where weaknesses have been accepted to reduce application friction for users (e.g. having longer session timeouts, allowing guest check-out, having remember-me functionality).
NB: the key concept for this card is insufficient authentication. See Session Management SM 8 for the re-authentication requirement to check if privileges have changed.
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 55 | 2.1 | 21 | 14 | |
| 56 | 2.26 | 28 |
