An insufficiently protected credential weakness occurs when the application doesn't store or transmit the authentication credentials securely. If the passwords are not hashed and salted, an attacker might be able to recover stored passwords after compromising the application. If the passwords or hashes are not encrypted during transmission, an attacker might be able to intercept passwords or hashes vis a man-in-the-middle attack. All applications that use authentication are affected by this vulnerability type.
An insufficiently protected credential vulnerability makes it easier for an attacker to gain access to the authentication credentials. Usually, some other vulnerability has to be present for the attacker to recover the credentials. Once the attacker has the credentials, they can impersonate the user whose credentials have been compromised. Malicious hackers usually target privileged accounts to take over the application. After taking over the application, an attacker might leverage other vulnerabilities to take over the application platform and use it to pivot for other attacks. Compromising the application also gives the attacker access to user data, thus enabling them to impersonate the user.
To prevent this vulnerability type, use PBKDF2 to secure passwords and send authentication credentials over encrypted tunnels.
Use PBKDF2 to secure passwords:
Send authentication credentials only over TLS:
To check for adequate protection against this vulnerability type, verify that PBKDF2 is used to secure passwords and that authentication credentials are never sent in plain-text.
PBKDF2 is used to secure passwords:
Authentication credentials are only sent over TLS:
Computer Based Training Links
Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.