A07:2021 - Identification and authentication failures

This document focuses on showing the Identification and Authentication Failures that can create vulnerabilities in your application. 

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Below you can find the most frequent ones according to OWASP and ways to prevent them.

Read more at: Identification and Authentication Failures - OWASP Documentation

Authentication

Authentication Cheat Sheet

Actions by GeneXus

• GeneXus provides a security module called GeneXus Access Manager (GAM). This module implements different Authentication Scenarios and Authentication Types.

Actions by Developers

• Use GAM or implement a security module.

Password strength controls

Implement proper password strength controls

Actions by GeneXus

• GAM provides the developer with the tools to implement an adequate password control policy. Read more at: Going into production: checklist for Applications using GAM

Actions by Developers

• Configure GAM or the external security module to implement the selected password control properly.

Password recovery mechanism

Implement secure password recovery mechanism

Actions by GeneXus

• GAM provides the developer with an implementation for the password recovery mechanism.

Actions by Developers

• Adapt the GAM reference implementation to the company's security policy or properly configure the chosen security module. The use of the OWASP guidelines is recommended. 

Authentication and error messages

Authentication and error messages

Actions by GeneXus

• GAM provides the developer with an implementation for the password recovery mechanism and login.

Actions by Developers

• Error messages must be generic and avoid providing an attacker with any user's information.

Session management

Session Management Cheat Sheet

Actions by GeneXus

• GeneXus uses the session management mechanisms provided by the base language. Also, it provides cipher mechanisms to Encrypt URL parameters for the objects exposed, and implements cipher mechanisms for the AJAX queries and responses.

• The session with the AJAX authentication key expires on a configurable time-lapse.

Actions by Developers

• Verify that all objects accessible by HTTP/HTTPS receive ciphered parameters.     

  • Security Scanner helps to detect this scenario with case codes #100, #105 & #107.    

• If GeneXus Evolution 1 is used, check the Ajax requests security property is set to High.

• If GeneXus Evolution 2 is used, check the Javascript Debug Mode property is set to No.     

  • Security Scanner helps to detect this scenario with case code #106.    

• Configure the On session timeout property properly.

• Implement some re-authentication mechanisms to use before sensitive operations.

• Avoid the default names of the cookies used for session identifiers.     

  • Security Scanner helps to detect this scenario with case code #116.    

• Avoid short session identifiers.

• Use cookies that have the attributes Secure, HTTP-Only, SameSite, Domain, and Path configured.     

  • Security Scanner helps to detect this scenario with case code #116.    

• Destroy the web session within the logout process.

• Set the expiration time for the web session on the application server.

Availability

Since GeneXus 18 upgrade 1.