Login error messages and ASVS v7

[mak1yama]

Some documents published by OWASP-related projects mentions the importance of generic error messages during the login process, and ASVS 4.0 also mentions about this in v7 (specifically in v7.4.1). I would like ASVS to strengthen the descriptions about error messages, because I have found a number of web services which display specific and inconsistent messages during login-related functions such as login, password recovery (password reset), and account creation. These services have a risk of account harvesting or enumeration.

v7 has already had a reference of OWASP Testing Guide 4.0 content: Testing for Error Handling, which mentions the importance of generic error messages during the login process. I think v7 should refer more detailed information about this problem and countermeasures. I think Authentication Cheat Sheet is good for the reference of v7, because it shows both incorrect and correct message examples.

Additionally, I think the descriptions of OWASP Testing Guide and Authentication Cheat Sheet are not enough to explain the risk, because they implicitly focus on a “login” function. For example, Authentication Cheat Sheet only gives error message examples for a login function. On the basis of my study, “password recovery” and “account creation” functions are potentially abusable as well as “login” function. So an administrator should take care of all these login-related functions. I think all these login-related functions also should be mentioned explicitly in any OWASP documents.

[tghosth]

So I think the main control for harvesting/enumeration should be anti-automation which is mentioned in 2.2.1. What do you think?

I think for more sensitive applications, maybe more aggressive user discovery controls such as generic login errors are required. However, this gets more complicated, especially for something like an account creation flow. Can you think of a control which could be added to V7 which would cover this?

[mak1yama]

So I think the main control for harvesting/enumeration should be anti-automation which is mentioned in 2.2.1. What do you think?

Yes. Anti-automation techniques such as CAPTCHA can interfere with brute-force attempts. This type of attack assumes outsider attackers. However, anti-automation techniques are not effective for insider attackers (e.g., victim’s acquaintance who knows the victim’s email address), because insider attackers require a small amount of attempts to know whether the victim (e.g., friend) has an account on a specific “sensitive” service on the basis of the inconsistency of error messages. Therefore, even if services use anti-automation techniques, they should pay attention to error messages.

I think for more sensitive applications, maybe more aggressive user discovery controls such as generic login errors are required. However, this gets more complicated, especially for something like an account creation flow. Can you think of a control which could be added to V7 which would cover this?

I think you see through the essence of this problem. There are different stages of "account lifecycle": before registration, after registration, update (i.e., changing the registered email address as user-ID), and account closure. Error messages should be consistent for all these stages. As I previously mentioned, I found three login-related functions (i.e., login, password recovery, and account creation) which are potentially abusable.

In Authentication Cheat Sheet, examples for a login function are shown as follows.

Incorrect Response Examples
"Login for User foo: invalid password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
Correct Response Example
"Login failed; Invalid userID or password"

In addition to these examples, I can give some examples for password recovery and account creation functions as follows.

Incorrect Response Examples for password recovery
"We just sent you a password-reset link"
"This email address doesn’t exist in our database"
Correct Response Example for password recovery
"If that email address is in our database, we’ll send you an email to reset your password"

Incorrect Response Examples for account creation
"This user ID is already in use"
"Welcome! You have signed up successfully"
Correct Response Example for account creation
"A link to activate your account has been emailed to ⟨input email address⟩"

I'm concerned that these response examples are too much detail for v7. If so, should they be added in Authentication Cheat Sheet?

It's OK for me that (i) the detailed information is added in Authentication Cheat Sheet, and (ii) the high-level view of the risk is added in v7.4.1 and v7 just refers Authentication Cheat Sheet.

[tghosth]

I agree that those examples are too much detail but that they are useful in the cheatsheet.

So do you think something extra is needed for V7?

[mak1yama]

Thanks. It would be great if Authentication Cheat Sheet (Authentication and Error Messages) is just added to the references of V7.

I'll discuss this problem at OWASP/CheatSheetSeries in order to add the detailed information to Authentication Cheat Sheet (Authentication and Error Messages).

[tghosth]

Hi @mak1yama, do you think #661 handles this?

[mak1yama]

Yes, that's good! Thanks @tghosth.