This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Test user-viewable log of authentication events (OTG-LOG-002)

From OWASP
Jump to: navigation, search

Brief Description

Proving users with their last logged in date/time is a useful way to help them identify mis-use of their own accounts. Providing a list of important authentication events over a longer time period is even better.

Issue

If visibility is given to users of applications with user interfaces (e.g. websites) about their previous use, this can provide them with confidence about the use of their account. If unexpected events are found, this might encouarge a user to change their password. If a number of users contact the application's owner, it could indicate a more significant intrusion or data breach.

Example

A user logs in and goes to their profile page. There is a paginated list of recent site authentication actions, with the most recent first. For example:

Tue, 15 Oct 2013, 14:43:05 GMT   Europe        Successful log in          User
Tue, 15 Oct 2013, 14:40:37 GMT   N.America     Reset link sent            Application
Tue, 15 Oct 2013, 14:40:36 GMT   SE.Asia       Account unlocked           Call centre [6RE34]
Tue, 15 Oct 2013, 14:40:20 GMT   SE.Asia       Account details viewed     Call centre [6RE34]
Tue, 15 Oct 2013, 14:40:20 GMT   Europe        Caller identity verified   +44 191 *** ****
Tue, 15 Oct 2013, 14:21:15 GMT   N.America     Account locked             Application
Tue, 15 Oct 2013, 14:21:15 GMT   Europe        Failed log in              User
Tue, 15 Oct 2013, 14:21:06 GMT   Europe        Failed log in              User
Tue, 15 Oct 2013, 14:20:53 GMT   Europe        Failed log in              User
Mon, 29 Apr 2013, 19:54:09 GMT   Europe        Logged out                 User
etc

Testing Method

Log in as a valid user and identify if there is a list of account activity, especially authentication events such as:

  • Successful log in
  • Failed log in
  • Account locked / disabled
  • Account unlocked / enabled
  • Account created
  • Password changed
  • Username changed
  • Logged out

These should relate to all such actions:

  • Using the web application itself (i.e. by the authenticated user)
  • Using related/partner applications where the same credentials are valid
  • By someone or something else (e.g. a call centre agent, a website administrator, another application)

Also review whether these additional properties relating to the user are accessible:

  • Events that cost the user money (e.g. purchase history)
  • Changes to role or access privileges
  • Significant status changes (e.g. credit limit altered)

Ensure that sensitive data is not exposed in the event list.

Test Tools

None. Use a web browser to log in and examine information available to the user themselves.

Related Test Cases

None.

References

None.

Remediation

Implement a list of account activity, viewable by the user after they have been authenticated. This provide the ability to look back over several months.