This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cornucopia - Ecommerce Website - AT Q"

From OWASP
Jump to: navigation, search
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT Q</span>}} File:Cornucopia_-_Ecommerce_Website_AT_Q....")
 
 
Line 67: Line 67:
 
</tr>
 
</tr>
 
</table>
 
</table>
 
 
 
  
  
 
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span>  [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_K|Next Card »]] </div>
 
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_J|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span>  [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_K|Next Card »]] </div>

Latest revision as of 16:20, 21 January 2016

Cornucopia - Ecommerce Website AT Q.png

Suit: Authentication

Card/Value: Q

Description:

Jaime can bypass authentication because it is not enforced with equal rigor for all types of authentication functionality (e.g. register, password change, password recovery, log out, administration) or across all versions (e.g. mobile website, full website).

Technical Note:

The degree of identity assurance may not be the same for all web application functions. Or the authentication function may be available in a weaker manner in some other mode or channel, thus compromising the web application.

The key concept for this card is inconsistent authentication. See AT J for missing authentication, AT K for changing the executing authentication code, and other cards in this suit for individual authentication issues (e.g. missing notification, inadequate password protection, enumeration, weak account management, weak use of temporary passwords, bypass, missing re-authetication, etc).

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
23 2.1 36 14
29 2.8 50 28
42 115
49 121
179


« Previous Card | Authentication | Next Card »