This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - AT 9

From OWASP
Revision as of 14:35, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 9</span>}} File:Cornucopia_-_Ecommerce_Website_AT_9....")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website AT 9.png

Suit: Authentication

Card/Value: 9

Description:

Claudia can undertake more critical functions because authentication requirements are too weak, or there is no requirement to re-authenticate for these.

Technical Note:

The level of assurance required for confirmation of identity should be assessed. In some cases different levels of authentication may be needed (e.g. two-factor authentication for some users, but not others), and re-authentication should be considered for some important functionality (e.g. changing password, making a payment, deleting an account), especially where weaknesses have been accepted to reduce application friction for users (e.g. having longer session timeouts, allowing guest check-out, having remember-me functionality).

NB: the key concept for this card is insufficient authentication. See Session Management SM 8 for the re-authentication requirement to check if privileges have changed.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
55 2.1 21 14
56 2.26 28






« Previous Card | Authentication | Next Card »
Retrieved from "https://wiki.owasp.org/index.php?title=Cornucopia_-_Ecommerce_Website_-_AT_9&oldid=207047"