OWASP Top Ten Proactive Controls 2018
Securely implement digital identity, authentication, and session management controls to prevent vulnerabilities like broken authentication, session hijacking, and poor authorization.
Overview
C6: Implement Digital Identity
Description
Digital Identity is the unique representation of a user (or other subject) as they engage in an online transaction. Authentication is the process of verifying that an individual or entity is who they claim to be. Session management is a process by which a server maintains the state of the user's authentication so that the user may continue to use the system without re-authenticating. This article discusses the recommendations for secure implementation of digital identity, authentication, and session management controls. It provides information on authentication levels, secure password requirements, secure password recovery mechanism, secure password storage, multi-factor authentication, and cryptographic-based authentication. It also covers session management, generation and expiration of sessions, browser cookies, and tokens. The article emphasizes the importance of digital identity, authentication, and session management in preventing vulnerabilities like broken authentication and session management, and poor authorization and authentication.
How to Prevent ?
To prevent vulnerabilities related to digital identity, authentication, and session management, it is recommended to implement the following measures: - Implement strong password requirements, such as minimum length, acceptance of all ASCII characters, and encouragement of long passwords and passphrases. - Use secure password recovery mechanisms that incorporate multi-factor authentication elements. - Securely store user credentials using secure password hashing techniques. - Implement multi-factor authentication that requires users to provide something they know, own, and are. - Use cryptographic-based authentication for stronger authentication assurance. - Implement session management controls to track and maintain user state after initial authentication. - Generate long, unique, and random session IDs. - Set idle timeout and maximum session lifetime for each session. - Secure browser cookies by setting access restrictions, expiration period, and additional flags like 'secure' and 'HttpOnly'. - Consider using tokens for stateless session management. - Take caution and involve capable engineering talent when dealing with complex identity solutions.
Example Attack Scenarios:
Broken Authentication and Session Management: Attackers can exploit vulnerabilities in digital identity, authentication, and session management to gain unauthorized access to user accounts, bypass login mechanisms, or perform session hijacking attacks. This can lead to various security issues, such as unauthorized data access, privilege escalation, data tampering, and account takeover.
Poor Authorization and Authentication: Inadequate implementation of digital identity and authentication controls can result in poor authorization decisions and weak authentication mechanisms. Attackers can exploit these weaknesses to gain unauthorized access to sensitive resources, perform privilege escalation attacks, and compromise the overall security of the system.