-
-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login error messages and ASVS v7 #659
Comments
So I think the main control for harvesting/enumeration should be anti-automation which is mentioned in 2.2.1. What do you think? I think for more sensitive applications, maybe more aggressive user discovery controls such as generic login errors are required. However, this gets more complicated, especially for something like an account creation flow. Can you think of a control which could be added to V7 which would cover this? |
Yes. Anti-automation techniques such as CAPTCHA can interfere with brute-force attempts. This type of attack assumes outsider attackers. However, anti-automation techniques are not effective for insider attackers (e.g., victim’s acquaintance who knows the victim’s email address), because insider attackers require a small amount of attempts to know whether the victim (e.g., friend) has an account on a specific “sensitive” service on the basis of the inconsistency of error messages. Therefore, even if services use anti-automation techniques, they should pay attention to error messages.
I think you see through the essence of this problem. There are different stages of "account lifecycle": before registration, after registration, update (i.e., changing the registered email address as user-ID), and account closure. Error messages should be consistent for all these stages. As I previously mentioned, I found three login-related functions (i.e., login, password recovery, and account creation) which are potentially abusable. In Authentication Cheat Sheet, examples for a login function are shown as follows.
In addition to these examples, I can give some examples for password recovery and account creation functions as follows.
I'm concerned that these response examples are too much detail for v7. If so, should they be added in Authentication Cheat Sheet? It's OK for me that (i) the detailed information is added in Authentication Cheat Sheet, and (ii) the high-level view of the risk is added in v7.4.1 and v7 just refers Authentication Cheat Sheet. |
I agree that those examples are too much detail but that they are useful in the cheatsheet. So do you think something extra is needed for V7? |
Thanks. It would be great if Authentication Cheat Sheet (Authentication and Error Messages) is just added to the references of V7. I'll discuss this problem at OWASP/CheatSheetSeries in order to add the detailed information to Authentication Cheat Sheet (Authentication and Error Messages). |
Yes, that's good! Thanks @tghosth. |
Some documents published by OWASP-related projects mentions the importance of generic error messages during the login process, and ASVS 4.0 also mentions about this in v7 (specifically in v7.4.1). I would like ASVS to strengthen the descriptions about error messages, because I have found a number of web services which display specific and inconsistent messages during login-related functions such as login, password recovery (password reset), and account creation. These services have a risk of account harvesting or enumeration.
v7 has already had a reference of OWASP Testing Guide 4.0 content: Testing for Error Handling, which mentions the importance of generic error messages during the login process. I think v7 should refer more detailed information about this problem and countermeasures. I think Authentication Cheat Sheet is good for the reference of v7, because it shows both incorrect and correct message examples.
Additionally, I think the descriptions of OWASP Testing Guide and Authentication Cheat Sheet are not enough to explain the risk, because they implicitly focus on a “login” function. For example, Authentication Cheat Sheet only gives error message examples for a login function. On the basis of my study, “password recovery” and “account creation” functions are potentially abusable as well as “login” function. So an administrator should take care of all these login-related functions. I think all these login-related functions also should be mentioned explicitly in any OWASP documents.
The text was updated successfully, but these errors were encountered: