[Owasp-topten] Review and comments on A7
andre at operations.net
Mon Feb 19 11:43:43 EST 2007
Regarding "A7 - Broken Authentication",
The criteria in all sections fails to mention password-less
authentication such as
1) IP address-based authentication
2) DNS or reverse-DNS based authentication
Many web applications (both Internet and Intranet) still rely on these
methods. This is why I am suggesting these precautions to be added to
the OWASP top ten.
Sometimes it is a web server vulnerability that affects the web
application. For example, IIS can be configured for IP address-based
authorization under the Directory Security tab. This is described in
detail on pg. 201-202 of `Hacking Exposed Web Applications, 2nd
However, these same methods can be written into the application
itself, and the application should be protected for the same reasons
as the server. If IP address-based authentication is used, it could
be done on a single IP or a range of IP addresses, often expressed as
a prefix. Wildcards could also be used in the IP range, or in the DNS
naming, to expose additional risk.
Similarly, an IP address or DNS name embedded in a cookie is a wasted
security method that can break authentication. Cookies should be made
portable from IP addresses and DNS names in every situation.
In addition, email address-based checks for additional authentication,
authorization, or privilege-escalation should be removed from web
applications. I have seen numerous examples of these over the years.
Self-registration that relies on email address verification can also
fail to numerous attacks.
Other password-less authentication (e.g. HTTP Referer checks), and
email address-based authentication/authorization (e.g.
Password-recovery) seem to be adequately covered in this section or
through the links.
I could only find two pages on OWASP that even cover these issues I
have presented here:
Testing for these vulnerabilities may prove to be extremely difficult
outside of the basic source code analysis as described in the two
OWASP links above. Blackbox testing for the administrative domain IP
or DNS-based authentication is straightforward. Assessing the
application for any random DNS name seems impossible, and for IP
version 4 addresses - possibly complex and time consuming.
I meant to come up with some proposed suggestions for changing section
A7. If I get some time this week, I will make some changes and send
it to this list. However, I feel that I need to get this basic
information out now, and maybe get some feedback.
More information about the Owasp-topten