Closed baesenseii closed 4 years ago
Thanks for that. Please can you check if there is a NIST section to be included in the mapping and also a CWE reference and if you have that info, please could you open a pull request?
Created pull request for this issue: https://github.com/OWASP/ASVS/pull/654
Would anyone ever use the client time for generating a token? Would the server even know the client's time? In fact, even the server's time could be out of sync, so maybe a reliable external time source should be the recommendation here. I mean it's a good point to bring up, the question here is what's the real issue that needs to be addressed.
I came across an app during one of my client's testing that sent the client machine's epoch value as part of the OTP verification process. And because of that, it was possible for me to use the same OTP value just by submitting the corresponding epoch value.
Of course this is assuming that the server's system time is in sync based on NTP servers, but what I am trying to highlight here is that the server validating the TOTP challenge should base it on its own system time and not the submitted epoch value by the user's web browser.
This seems like it should definitely be an issue as it allows OTP replay in a situation where an attacker gained brief access to the victim's OTP.
@xxbaemaxx would you be able to do the following:
@xxbaemaxx Would you be able to do what was described above?
Hi,
Unfortunately i am unable to find any NIST reference or CWE instance.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
On 5/9/20 10:54 AM, xxbaemaxx wrote:
Hi,
Unfortunately i am unable to find any NIST reference or CWE instance.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/OWASP/ASVS/issues/653#issuecomment-626188073, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEBYCNIV3ZSLFZZ2DKPQLLRQVVDPANCNFSM4HWSUASA.
-- Jim Manico Manicode Security https://www.manicode.com
With regards to proper TOTP verification for 2.8.4 and 2.8.5, another objective that should be included is this:
"Ensure that generation of the time-based multi-factor OTP token is based on the server's system time and not the client's machine"