This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Vulnerable Remember Password (OTG-AUTHN-005)"

From OWASP
Jump to: navigation, search
m
(Minor corrections/rewrites.)
Line 4: Line 4:
 
== Summary ==
 
== Summary ==
  
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication portal is visited. This is a convenience for the user.
+
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user.
 
<br>
 
<br>
  
 
== Description of the Issue ==  
 
== Description of the Issue ==  
Whilst a convenience for the user, having the browser storing passwords is also a convenience for an attacker.<br>
+
Having the browser storing passwords is not only a convenience for end-users, but also for an attacker.<br>
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in a fully retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target authentication portal web site, entering the victim's username, and letting the browser to enter the password.<br>
+
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.<br>
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
  
* Enter a username and password in the target authentication portal and determine whether the browser asks the user whether they want the password remembered.
+
* Enter a username and password in the target authentication form and determine whether the browser asks the user whether they want the password remembered.
* View the authentication portal's HTML source code and look for the autocomplete="off" attribute in the password form field. The code for this will usually be along the following lines:
+
* View the authentication form's HTML source code and look for the autocomplete="off" attribute in the password form field. The code for this may resemble the following:
 
<pre>
 
<pre>
 
<INPUT TYPE="password" AUTOCOMPLETE="off">
 
<INPUT TYPE="password" AUTOCOMPLETE="off">
 
</pre>
 
</pre>
* Also look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in cleartext, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.   
+
* Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.   
* Also look for other areas where a password may be entered, e.g. a Change Password form.
+
* Look for other areas where a password may be entered (and hence be remembered by the browser), e.g. a change password form.
* Also consider other sensitive form fields (e.g. an answer to a secret question, used for Forgotten Password forms).
+
* Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).
  
 
== Remediation ==
 
== Remediation ==
  
Any fields that contain sensitive information and passwords should be flagged in the HTML with AUTOCOMPLETE=”off”.<br>
+
Any fields that contain sensitive information and passwords should be flagged in the HTML source code with AUTOCOMPLETE=”off”.<br>
Moreover no credentials have to be stored, in cleartext, into cookies.
+
Moreover no credentials should to be stored in clear text in cookies.

Revision as of 08:22, 22 March 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Summary

Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user.

Description of the Issue

Having the browser storing passwords is not only a convenience for end-users, but also for an attacker.
If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.

Black Box testing and example

  • Enter a username and password in the target authentication form and determine whether the browser asks the user whether they want the password remembered.
  • View the authentication form's HTML source code and look for the autocomplete="off" attribute in the password form field. The code for this may resemble the following:
<INPUT TYPE="password" AUTOCOMPLETE="off">
  • Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed. Examine the hashing mechanism: if it is a common, well-known algorithm, check for its strength; in homegrown hash functions, attempt several usernames to check whether the hash function is easily guessable. Additionally, verify that the credentials are only sent during the login phase, and not sent together with every request to the application.
  • Look for other areas where a password may be entered (and hence be remembered by the browser), e.g. a change password form.
  • Consider other sensitive form fields (e.g. an answer to a secret question that must be entered in a password recovery or account unlock form).

Remediation

Any fields that contain sensitive information and passwords should be flagged in the HTML source code with AUTOCOMPLETE=”off”.
Moreover no credentials should to be stored in clear text in cookies.