Kingdom: API Abuse
An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Often Misused: Login
Abstract
Insecure handling of login information can enable attackers to circumvent the application's authentication system.
Explanation
Poorly written login forms can lead to the following vulnerabilities:
1. Theft of credential information
a. Login forms designed to use the GET HTTP method can reveal sensitive information to attackers in the query string.
b. Transmission of login information in cleartext leaves it vulnerable to information theft.
c. Serving login forms over an insecure connection can allow an attacker to intercept and tamper with the login form itself and circumvent any protections offered by the original login form
d. Processing unvalidated data in the page containing the login form can enable attackers to install malicious scripts and capture sensitive information
2. Authentication bypass
a. Failing to validate user-submitted data in a login form can leave the application vulnerable to SQL Injection attacks, which enables an attacker to completely bypass the authentication system
3. Session hijacking
a. In the absence of adequate protections against Cross-Site Request Forgery and Cross-Frame Scripting vulnerabilities, attackers can hijack legitimate user sessions.
1. Theft of credential information
a. Login forms designed to use the GET HTTP method can reveal sensitive information to attackers in the query string.
b. Transmission of login information in cleartext leaves it vulnerable to information theft.
c. Serving login forms over an insecure connection can allow an attacker to intercept and tamper with the login form itself and circumvent any protections offered by the original login form
d. Processing unvalidated data in the page containing the login form can enable attackers to install malicious scripts and capture sensitive information
2. Authentication bypass
a. Failing to validate user-submitted data in a login form can leave the application vulnerable to SQL Injection attacks, which enables an attacker to completely bypass the authentication system
3. Session hijacking
a. In the absence of adequate protections against Cross-Site Request Forgery and Cross-Frame Scripting vulnerabilities, attackers can hijack legitimate user sessions.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 311
[2] Standards Mapping - FIPS200 SC
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[7] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[10] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[11] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective C.4.1 - Web Software Communications
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3330 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3330 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3330 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3330 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3330 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3330 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3330 CAT I
desc.dynamic.xtended_preview.often_misused_login