19. 19
- Default passwords.
- Password database access.
- Dictionary-based brute force.
- Username guessing / enumeration.
- Credentials captured by a man in the middle attack.
- Password reset abuse.
- Authentication replay.
- Session id prediction.
- Session hijacking.
- Session fixation.
- Shoulder surfing.
- …
20. 20
¿Web form username
and password-based
authentication?
Attack Threat
- Default passwords. Attackers gain access to the system using default passwords.
- Password database access. Attackers gain access to user accounts by accessing the password
database
- Dictionary-based brute force. Attackers gain access to user accounts by performing a
dictionary-based brute force attack.
- Username guessing. Attackers gain access to user accounts by performing a username
guessing attack.
- Username enumeration. Attackers gain access to user accounts by performing a username
enumeration attack.
... ...
24. 24
¿Web form
username and
password-based
authentication?
Threat Countermeasure(s)
Attackers gain access to the system using default
passwords.
Remove default credentials and role-based accounts
from the application
Attackers gain access to user accounts by accessing the
password database
Store passwords in unrecoverable form to prevent
disclosure
Attackers gain access to user accounts by performing a
dictionary-based brute force attack.
Require the use of strong passwords
Attackers gain access to user accounts by performing a
username guessing attack.
Implement application and network rate limiting on the
login function
Attackers gain access to user accounts by performing a
username enumeration attack.
Ensure failed login timings do not reveal account status
Ensure application errors do not reveal account status
... ...
25. 25
¿Web form
username and
password-based
authentication?
Threat Countermeasure(s) Standard Req
Attackers gain access to the system using
default passwords.
Remove default credentials and role-based
accounts from the application
OWASP-ASVS Level 1 r2.19
Attackers gain access to user accounts by
accessing the password database
Store passwords in unrecoverable form to
prevent disclosure
OWASP-ASVS Level 2 r2.13
Attackers gain access to user accounts by
performing a dictionary-based brute force
attack.
Require the use of strong passwords OWASP-ASVS Level 2 r2.7
Attackers gain access to user accounts by
performing a username guessing attack.
Implement application and network rate
limiting on the login function
OWASP-ASVS Level 1 r2.20
Attackers gain access to user accounts by
performing a username enumeration
attack.
Ensure failed login timings do not reveal
account status
Ensure application errors do not reveal
account status
OWASP-ASVS Level 3 r2.28
OWASP-ASVS Level 1 r2.18
... ... ...
27. 27
¿Web form
username and
password-based
authentication?
Threat Countermeasure(s) Standard Req
Attackers gain access to the system using
default passwords.
Remove default credentials and role-based
accounts from the application
OWASP-ASVS Level 1 r2.19
Attackers gain access to user accounts by
accessing the password database
Store passwords in unrecoverable form to
prevent disclosure
OWASP-ASVS Level 2 r2.13
Attackers gain access to user accounts by
performing a dictionary-based brute force
attack.
Require the use of strong passwords OWASP-ASVS Level 2 r2.7
Attackers gain access to user accounts by
performing a username guessing attack.
Implement application and network rate
limiting on the login function
OWASP-ASVS Level 1 r2.20
Attackers gain access to user accounts by
performing a username enumeration
attack.
Ensure failed login timings do not reveal
account status
Ensure application errors do not reveal
account status
OWASP-ASVS Level 3 r2.28
OWASP-ASVS Level 1 r2.18
... ... ...
28. 28
¿Web form username
and password-based
authentication?
Countermeasure(s) Implemented
Remove default credentials and role-based accounts from the
application
Store passwords in unrecoverable form to prevent disclosure
Require the use of strong passwords
Implement application and network rate limiting on the login function
Ensure failed login timings do not reveal account status
Ensure application errors do not reveal account status
...
30. 30
¿Web form username
and password-based
authentication?
Countermeasure(s)
Remove default credentials and role-based accounts from the application
Store passwords in unrecoverable form to prevent disclosure
Require the use of strong passwords
Implement application and network rate limiting on the login function
Ensure failed login timings do not reveal account status
Ensure application errors do not reveal account status
...
31. 31
Remove default credentials and role-based
accounts from the application
@authentication
Feature: Authentication
Verify that the authentication system is robust
Scenario: Default passwords should not be used
Given a web form based authentication
When the default user logs in
Then the password in not in the default passwords list
32. 32
Store passwords in unrecoverable form to
prevent disclosure
@authentication
Feature: Authentication
Verify that the authentication system is robust
Scenario: Passwords should be stored in unrecoverable format
Given a web form based registration
When a user registration happens
And the password is provided and stored
Then the password cannot be reverted back to its original form
33. 33
Require the use of strong passwords
@authentication
Feature: Authentication
Verify that the authentication system is robust
Scenario: Passwords should be strong
Given a web form based authentication
When a user registration happens
Then the password is asked
When a weak password is provided
Then the user cannot register
34. 34
Implement application and network rate
limiting on the login function
@authentication
Feature: Authentication
Verify that the authentication system is robust
Scenario: authentication attempts should be limited
Given a web form based authentication
When a user tries to log in
And uses invalid passwords
And the time between tries is less than X seconds
Then the source is locked down