Avoid object reutilization
Summary
The system must guarantee that objects (session ID, cookies, etc.) used in the authentication process cannot be reused (replay resistance).
Description
In a system, it is necessary to prevent transmitted information from being reused by an attacker to impersonate an authorized user or server responses. Therefore, it is essential to verify the communications between the users and the system, thus avoiding a replay of any request that could affect the confidentiality, integrity and/or availability of the system.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-60. Reusing session IDs (aka session replay)
- CWE™-294. Authentication bypass by capture-replay
- CWE™-308. Use of single-factor authentication
- CWE™-345. Insufficient verification of data authenticity
- CWE™-613. Insufficient session expiration
- NIST 800-63B-5_2_8. Replay resistance
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP TOP 10-A8. Software and data integrity failures
- OWASP-M TOP 10-M2. Insecure data storage
- OWASP-M TOP 10-M3. Insecure communication threat agents
- CERT-J-IDS14-J. Do not trust the contents of hidden form fields
- MISRA-C-5_5. No object or function identifier with static storage duration should be reused
- MISRA-C-5_7. No identifier name should be reused
- MISRA-C-20_2. Names of standard library macros, objects and functions shall not be reused
- SANS 25-14. Improper Authentication
- PDPA-9B_48F. Unauthorized re‑identification of anonymized information
- POPIA-9_72. Transfers of personal information outside Republic
- CMMC-AC_L1-3_1_2. Transaction & function control
- CMMC-IA_L2-3_5_4. Replay-resistant authentication
- CMMC-IA_L2-3_5_5. Identifier reuse
- CMMC-SC_L1-3_13_1. Boundary protection
- CMMC-SC_L2-3_13_15. Communications authenticity
- HITRUST CSF-09_s. Information exchange policies and procedures
- HITRUST CSF-10_d. Message integrity
- FedRAMP-IA-4. Identifier management
- ISA/IEC 62443-SI-3_8. Session integrity
- ISA/IEC 62443-CR-3_1-RE_1. Communication authentication
- WASSEC-3_2_1. HTTP cookies
- WASSEC-6_2_2_4. Authorization - Session fixation
- WASSEC-6_2_2_5. Authorization - Session weaknesses
- WASC-A_18. Credential and session prediction
- WASC-A_37. Session fixation
- WASC-W_47. Insufficient session expiration
- ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASP SCP-4. Session management
- OWASP MASVS-V4_2. Authentication and session management requirements
- NIST 800-171-5_5. Prevent reuse of identifiers for a defined period
- OWASP ASVS-3_3_1. Session termination
- CWE™-6. Misconfiguration - Insufficient session-ID length
- CWE™-384. Session fixation
- OWASP ASVS-3_2_1. Session binding
- OWASP ASVS-4_2_2. Operation level access control
- OWASP API Security Top 10-API1. Broken Object Level Authorization
- CASA-3_3_1. Session Termination
- CASA-4_2_2. Operation Level Access Control
Vulnerabilities
- 015. Insecure authentication method - Basic
- 076. Insecure session management
- 280. Session Fixation
- 337. Insecure session management - CSRF Fixation
- 387. Insecure service configuration - Object Reutilization
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.