Back to overview

Authentication 3

Passwords and secrets need protection. Common attacks include:

Stealing a password/secret in transit (e.g. in an email message, over an unencrypted HTTP connection) Observing a password/secret being entered on screen Weak password recovery (e.g. reliance only on 'security' questions) Use of weak 'remember me' functionality Re-use of passwords making them guessable Passwords/secrets recorded in logs Passwords/secrets exposed in form data/URLs Client-side caching or storage of passwords/secrets Hard-coding of passwords/secrets into code Passwords never changed by user

How to play?

Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or from memory, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password

Mappings

Owasp ASVS (4.0): 2.5.2 ,2.5.3

Capec: 37 ,546

Owasp SCP: 36,37,40,43,48,51,119,139,140,146

Owasp Appsensor:

Safecode: 28

ASVS (4.0) Cheatsheetseries Index

ASVS V2.5 - Credential Recovery Requirements

Attacks

Local Cache exploitation

Insecure Session Storage

Loading comments 0%

Github logo View source on GitHub

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.