Scribd

Upload a Document

Web Application Security - Authentication Testing Cheat Sheet

This cheat sheet offers tips to review the security of authentication

controls implemented for a web application.

Registration Process

User registration offered on insecure HTTP connection
User enumeration through verbose error messages
Application accepting weak passwords during registration

Authentication Process

User enumeration through verbose error messages
Default and brute forcible passwords
Credential transport over insecure HTTP connection
User credentials passed within HTTP GET request
Fail open authentication
“Remember me” option offered on login page
Password cached within web browser
Authentication bypass

 SQL injection

 Forced browsing (Direct page access)

Account lockout policies
Weak CAPTCHA implementation
Issues concerning multi-factor authentication

Re-authentication not required for privileged accounts for critical

applications

Logout Process

Logout function does not exist
Logout does not invalidate session tokens on server
Idle timeout set for too long
Idle timeout does not invalidate session tokens on server

Password Management

Password quality

 Password length

 Password complexity

Password change function

 Password change mechanism not implemented
 Password aging not implemented for critical applications
 Current password not required for password change
 Weak passwords accepted during password change

Password reset / recovery

 User enumeration through verbose error messages
 User verification vulnerable to brute force
 Weak password delivery mechanism
 Weak passwords allowed during password reset
 Password change not enforced after default password

reset?

Password storage (Hashed or plain test)?

Web Application Authentication Cheat Sheet

Web Application Security - Authentication Cheat Sheet

This cheat sheet offers tips to review the security of authentication controls implemented f... (More)

Reads:

397

Uploaded:

05/31/2010

Category:

How-To Guides/Manuals

Rated:

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

vishalg2000

Share & Embed

Link / URL:

Embed Size & Settings:

Width: Auto
Height: (proportional to specified width)
Start on page:
Preview View:

Pass Pin Sec
0 reads
c894b63161ef79d51da375bb68498179cf7f471c
0 reads
Password Management Guideline, US DoD, 1985
794 reads
Password Management System
3663 reads
Strengthining Password Authentication Systems
201 reads
Passwords - Complete Reference
3584 reads
How to Recover Word 2007 Password
12 reads
FullDownload
8 reads
Oracle Change Password Expiration Date
3967 reads
diplomarbeit-2006-elftmann
0 reads
NIST Enterprise Guidelines for Passwords, June 2009 draft
577 reads
Analysis of Microsoft Office Password Protection System,
153 reads

Share & Embed

Web Application Authentication Cheat Sheet

Sign Up for an Ad-Free Scribd

Share & Embed

Related

More from this user

Login to Add a Comment

Scribd

Legal

Help & Tools

Partners

Subscribe to Us

What's New

	Discover and connect with people of similar interests.
	Publish your documents quickly and easily.
	Share your reading interests on Scribd and social sites.

Email address:
You need to provide a login for this account as well.
Login:

View Mode

Login to Add a Comment

Share & Embed

Web Application Authentication Cheat Sheet

Sign Up for an Ad-Free Scribd

Share & Embed

Related

More from this user

Login to Add a Comment

Print this document

High Quality

Browser Printing

Scribd Archive > Charge to your Mobile Phone Bill

Sign up

Other login options

Signup

Why Sign up?

Login Successful

Reset your password

Scribd

Legal

Help & Tools

Partners

Subscribe to Us

What's New