This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AT 9
Suit: Authentication
Card/Value: 9
Description:
Claudia can undertake more critical functions because authentication requirements are too weak, or there is no requirement to re-authenticate for these.
Technical Note:
The level of assurance required for confirmation of identity should be assessed. In some cases different levels of authentication may be needed (e.g. two-factor authentication for some users, but not others), and re-authentication should be considered for some important functionality (e.g. changing password, making a payment, deleting an account), especially where weaknesses have been accepted to reduce application friction for users (e.g. having longer session timeouts, allowing guest check-out, having remember-me functionality).
NB: the key concept for this card is insufficient authentication. See Session Management SM 8 for the re-authentication requirement to check if privileges have changed.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
55 | 2.1 | 21 | 14 | |
56 | 2.26 | 28 |