Scribd
Upload
394 views

Web Application Authentication Cheat Sheet

Web Application Security - Authentication Cheat Sheet This cheat sheet offers tips to review the security of authentication controls implemented for a web application.

Uploaded by

Vishal Garg
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF or read online on Scribd
394 views

Web Application Authentication Cheat Sheet

Web Application Security - Authentication Cheat Sheet This cheat sheet offers tips to review the security of authentication controls implemented for a web application.

Uploaded by

Vishal Garg
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 1

Web Application Security - Authentication Testing Cheat Sheet

This cheat sheet offers tips to review the security of authentication Logout Process
controls implemented for a web application.
Logout function does not exist
Registration Process
Logout does not invalidate session tokens on server
User registration offered on insecure HTTP connection
Idle timeout set for too long
User enumeration through verbose error messages
Idle timeout does not invalidate session tokens on server
Application accepting weak passwords during registration
Password Management
Authentication Process
Password quality
User enumeration through verbose error messages
 Password length
Default and brute forcible passwords
 Password complexity
Credential transport over insecure HTTP connection
Password change function
User credentials passed within HTTP GET request
 Password change mechanism not implemented
Fail open authentication
 Password aging not implemented for critical applications
“Remember me” option offered on login page
 Current password not required for password change
Password cached within web browser
 Weak passwords accepted during password change
Authentication bypass
Password reset / recovery
 SQL injection
 User enumeration through verbose error messages
 Forced browsing (Direct page access)
 User verification vulnerable to brute force
Account lockout policies
 Weak password delivery mechanism
Weak CAPTCHA implementation
 Weak passwords allowed during password reset
Issues concerning multi-factor authentication
 Password change not enforced after default password
Re-authentication not required for privileged accounts for critical reset?
applications
Password storage (Hashed or plain test)?

You might also like