A2:2017 - Broken Authentication

Unofficial Content

Authentication

Actions by GeneXus

Actions by Developers

  • Use GAM or implement a security module.

Password Strenght Controls

Actions by GeneXus

Actions by Developers

  • Configure GAM or the external security module to implement the selected password control properly.

Password Recovery Mechanism

Actions by GeneXus

Actions by Developers

  • Adapt the GAM reference implementation to the company's security policy or configure properly the security module chosen. The use of the OWASP guidelines is recommended. 

Authentication and error messages

Actions by GeneXus

Actions by Developers

  • The error messages must be generic avoiding providing an attacker with any user's information.

Session Management

Actions by GeneXus

  • GeneXus uses the session management mechanisms provided by the base language. Also, provides cipher mechanisms to encrypt URL parameters for the objects exposed and implements cipher mechanisms for the AJAX querys and responses.
  • The session with the AJAX authentication key expires on a configurable time lapse.

Actions by Developers

  • Verify that all objects accessible by HTTP/HTTPS receive ciphered parameters.
    • Security Scanner helps to detect this scenario with case codes #100, #105 & #107.
  • If GeneXus Evolution 1 is used check the Ajax Request Security property is configured on High.
  • If GeneXus Evolution 2 is used check the Javascript Debug Mode property is configured on No.
    • Security Scanner helps to detect this scenario with case code #106.
  • Configure properly the On session Timeout property.
  • Implement some re-authentication mechanism to use before sensitive operations.
  • Avoid the default names of the cookies utilized for session identifiers.
    • Security Scanner helps to detect this scenario with case code #116.
  • Avoid short session identifiers.
  • Use cookies that have configured the properties Secure, HTTP-Only, Domain and Path.
    • Security Scanner helps to detect this scenario with case code #116.
  • Destroy the web session within the logout process.
  • Set the expiration time for the web session on the application server.