V2.8 additional objective for OTP verification requirements

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.7k stars 660 forks source link

V2.8 additional objective for OTP verification requirements #653

Closed baesenseii closed 4 years ago

baesenseii commented 5 years ago

With regards to proper TOTP verification for 2.8.4 and 2.8.5, another objective that should be included is this:

"Ensure that generation of the time-based multi-factor OTP token is based on the server's system time and not the client's machine"

tghosth commented 5 years ago

Thanks for that. Please can you check if there is a NIST section to be included in the mapping and also a CWE reference and if you have that info, please could you open a pull request?

baesenseii commented 5 years ago

Created pull request for this issue: https://github.com/OWASP/ASVS/pull/654

m8urnett commented 5 years ago

Would anyone ever use the client time for generating a token? Would the server even know the client's time? In fact, even the server's time could be out of sync, so maybe a reliable external time source should be the recommendation here. I mean it's a good point to bring up, the question here is what's the real issue that needs to be addressed.

baesenseii commented 5 years ago

I came across an app during one of my client's testing that sent the client machine's epoch value as part of the OTP verification process. And because of that, it was possible for me to use the same OTP value just by submitting the corresponding epoch value.

Of course this is assuming that the server's system time is in sync based on NTP servers, but what I am trying to highlight here is that the server validating the TOTP challenge should base it on its own system time and not the submitted epoch value by the user's web browser.

tghosth commented 5 years ago

This seems like it should definitely be an issue as it allows OTP replay in a situation where an attacker gained brief access to the victim's OTP.

@xxbaemaxx would you be able to do the following:

Modify the wording to refer to a "reliable external time source"
Take another look at what the CWE, I am not sure that TOCTOU is quite correct in this case.
See if you can find specific reference to this issue in the NIST document as I don't think I saw anything in those sections.

tghosth commented 4 years ago

@xxbaemaxx Would you be able to do what was described above?

baesenseii commented 4 years ago

Hi,

Unfortunately i am unable to find any NIST reference or CWE instance.

jmanico commented 4 years ago

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

On 5/9/20 10:54 AM, xxbaemaxx wrote:

Hi,

Unfortunately i am unable to find any NIST reference or CWE instance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/ASVS/issues/653#issuecomment-626188073, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCNIV3ZSLFZZ2DKPQLLRQVVDPANCNFSM4HWSUASA.

-- Jim Manico Manicode Security https://www.manicode.com