R141. Force re-authentication

Requirement

The system must force users to re-authenticate or invalidate their session if the state of their account changes (e.g. password change/recovery, lockouts, user deletion, etc.).

References

  1. CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

  2. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.

  3. OWASP-ASVS v4.0.1 V3.3 Session Logout and Timeout Requirements.(3.3.3) Verify that the application terminates all other active sessions after a successful password change.

  4. OWASP-ASVS v4.0.1 V3.7 Defenses Against Session Management Exploits.(3.7.1) Verify the application ensures a valid login session or requires re-authentication or secondary verification before allowing any sensitive transactions or account modifications.

  5. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy