R088. Request client certificates


Systems that manage business-critical information must require digital certificates from the client. This must be done especially during the authentication process.


  1. CWE-299: Improper Check for Certificate Revocation. The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

  2. CWE-521: Weak Password Requirements. The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  3. ISO 27001:2013. Annex A - 14.1.3 Protect information included in application services transactions to avoid partial transmission, improper routing, unauthorized message modifications, unauthorized disclosure and unauthorized message duplication or replay.

  4. NIST 800-63B 5.2.5 Verifier Impersonation Resistance. A verifier impersonation-resistant authentication protocol SHALL establish an authenticated protected channel with the verifier. It SHALL then strongly and irreversibly bind a channel identifier that was negotiated in establishing the authenticated protected channel to the authenticator output (e.g., by signing the two values together using a private key controlled by the claimant for which the public key is known to the verifier).

  5. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  6. OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.9) Verify that wireless communications are mutually authenticated.

  7. OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.4) Verify impersonation resistance against phishing, such as the use of multi-factor authentication, cryptographic devices with intent (such as connected keys with a push to authenticate), or at higher AAL levels, client-side certificates.

  8. OWASP-ASVS v4.0.1 V9.2 Server Communications Security Requirements.(9.2.4) Verify that proper certification revocation, such as Online Certificate Status Protocol (OCSP) Stapling, is enabled and configured.

  9. PCI DSS v3.2.1 - Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks. Only trusted keys and certificates are accepted.

  10. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy