Use stateless session tokens
Summary​
The system should use securely generated, stateless session tokens that are validated using digital signatures instead of static API secrets.
Description​
empty
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References​
- CWEâ„¢-798. Use of hard-coded credentials
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP TOP 10-A8. Software and data integrity failures
- OWASP-M TOP 10-M4. Insecure authentication
- PA-DSS-3_1_4. Application employs methods to authenticate all users
- ISA/IEC 62443-SI-3_8. Session integrity
- ISA/IEC 62443-CR-1_1-RE_1. Unique identification and authentication
- WASSEC-3_3. Session token detection configuration
- WASSEC-6_2_2_1. Authorization - Credential/Session prediction
- OWASP SCP-4. Session management
- OWASP MASVS-V4_3. Authentication and session management requirements
- SWIFT CSCF-5_2. Token management
- OWASP ASVS-3_5_2. Token-based session management
- OWASP ASVS-3_5_3. Token-based session management
- CASA-3_5_2. Token-based Session Management
- CASA-3_5_3. Token-based Session Management
Vulnerabilities​
- 321. Lack of data validation - HTML code
- 340. Lack of data validation - Special Characters
- 341. Lack of data validation - OTP
- 344. Lack of data validation - Non Sanitized Variables
- 353. Lack of data validation - Token
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.