This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - SM 10"
From OWASP
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 10</span>}} File:Cornucopia_-_Ecommerce_Website_SM_1...") |
|||
Line 42: | Line 42: | ||
</tr> | </tr> | ||
</table> | </table> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Latest revision as of 16:22, 21 January 2016
Suit: Session management
Card/Value: 10
Description:
Marce can forge requests because per-session, or per-request for more critical actions, strong random tokens (i.e. anti-CSRF tokens) or similar are not being used for actions that change state.
Technical Note:
Consider supplementing standard session management with:
- Per-session strong random tokens or parameters.
- Per-request, as opposed to per-session, strong random tokens or parameters.
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
73 | 4.16 | IE4 | 62 | 18 |
74 | 111 |