Back to overview

Authentication 2

Security event logs should record key actions and the results of important security checks (in some cases successes as well as failures). If users have access to this information, they may well be able to help detect attempted or actual account/data breaches as they know more of the usage context. This information might be sent as alert messages (e.g. SMS, email, post), by making event data available as an API, or might appear in the web application as a short summarised activity log available once authenticated such as on the logged-in welcome page, or during the process of logging-off, and also within a user's account details to be accessed on demand. It maybe useful to include non web application events (e.g. mobile app password reset, a major event initiated by letter or the telephone call to the contact centre).

NB: The key concept here is notification of events to users.

How to play?

James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password)


Owasp ASVS (4.0): 2.5.2 ,7.1.2 ,7.1.4 ,7.2.1 ,8.2.1-8.2.3 ,8.3.6


Owasp SCP: 47,52

Owasp Appsensor: UT1

Safecode: 28

ASVS (4.0) Cheatsheetseries Index

ASVS V2.5 - Credential Recovery Requirements

ASVS V7.1 - Log Content Requirements

ASVS V7.2 - Log Processing Requirements

ASVS V8.2 - Client-side Data Protection

ASVS V8.3 - Sensitive Private Data


Password Guessing/Brute Force Attacks

Credential Stuffing

Social engineering attack

Session Hijacking (Man-in-the-Middle)

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.