OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resou...

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute fo...

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

The product implements an authentication technique, but it skips a step that weakens the technique.

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal au...

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Weaknesses in this category are related to the management of credentials.

CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is cons...