Request MFA for critical systems
Summary
The system must encrypt and verify client-side session information (ViewState).
Description
ViewState contains information about the state of the user interface and controls on a web page. If left unverified, an attacker could tamper the ViewState data. If ViewState is not properly protected, it could be a target for attackers attempting session hijacking.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CAPEC™-39. Manipulating opaque client-based data tokens
- CAPEC™-74. Manipulating state
- CWE™-642. External control of critical state data
- OWASP-M TOP 10-M4. Insecure authentication
- MITRE ATT&CK®-M1025. Privileged process integrity
- MITRE ATT&CK®-M1032. Multi-factor authentication
- CMMC-IA_L2-3_5_3. Multifactor authentication
- CMMC-MA_L2-3_7_5. Nonlocal maintenance
- WASSEC-2_1. Authentication schemes
- NIST SSDF-PO_5_1. Implement and maintain secure environments for software development
- OWASP ASVS-1_2_4. Authentication architecture
- OWASP ASVS-2_2_4. General authenticator security
- PCI DSS-8_4_1. Multi-factor authentication (MFA) is implemented to secure access
- PCI DSS-8_4_2. Multi-factor authentication (MFA) is implemented to secure access
- PCI DSS-8_4_3. Multi-factor authentication (MFA) is implemented to secure access
- SIG Core-H_2_14. Access control
- SIG Core-H_4_2. Access control
- SIG Core-N_1_15_5. Network security
- SIG Core-U_1_6_2. Server security
- SIG Core-U_1_9_27. Server security
- OWASP ASVS-4_3_1. Other access control considerations
- SANS 25-20. Missing authentication for critical function
- CASA-2_2_4. General Authenticator Security
- CASA-4_3_1. Other Access Control Considerations
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
- CWE TOP 25-306. Missing authentication for critical function
Vulnerabilities
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.