030 – Avoid object reutilization

Summary

The system must guarantee that objects (session ID, cookies, etc.) used in the authentication process cannot be reused (replay resistance).

Description

In a system, it is necessary to prevent transmitted information from being reused by an attacker to impersonate an authorized user or server responses. Therefore, it is essential to verify the communications between the users and the system, thus avoiding a replay of any request that could affect the confidentiality, integrity and/or availability of the system.

Supported In

Essential: True

Advanced: True

References

• CAPEC-60. Reusing session IDs (aka session replay)
• CWE-294. Authentication bypass by capture-replay
• CWE-308. Use of single-factor authentication
• CWE-345. Insufficient verification of data authenticity
• CWE-613. Insufficient session expiration
• NIST80063-5_2_8. Replay resistance
• NIST80063-7_1. Session bindings
• OWASP10-A7. Identification and authentication failures
• OWASP10-A8. Software and data integrity failures
• OWASPM10-M2. Insecure data storage
• OWASPM10-M3. Insecure communication threat agents
• CERTJ-IDS14-J. Do not trust the contents of hidden form fields
• MISRAC-5_5. No object or function identifier with static storage duration should be reused
• MISRAC-5_7. No identifier name should be reused
• MISRAC-20_2. Names of standard library macros, objects and functions shall not be reused
• SANS25-13. Improper authentication
• PDPA-9B_48F. Unauthorized re‑identification of anonymized information
• POPIA-9_72. Transfers of personal information outside Republic
• CMMC-AC_L1-3_1_2. Transaction & function control
• CMMC-IA_L2-3_5_4. Replay-resistant authentication
• CMMC-IA_L2-3_5_5. Identifier reuse
• CMMC-SC_L1-3_13_1. Boundary protection
• CMMC-SC_L2-3_13_15. Communications authenticity
• HITRUST-09_s. Information exchange policies and procedures
• HITRUST-10_d. Message integrity
• FEDRAMP-IA-4. Identifier management
• IEC62443-SI-3_8. Session integrity
• IEC62443-CR-3_1-RE_1. Communication authentication
• WASSEC-3_2_1. HTTP cookies
• WASSEC-6_2_2_4. Authorization - Session fixation
• WASSEC-6_2_2_5. Authorization - Session weaknesses
• WASC-A_18. Credential and session prediction
• WASC-A_37. Session fixation
• WASC-W_47. Insufficient session expiration
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASPSCP-4. Session management
• NIST800171-5_5. Prevent reuse of identifiers for a defined period
• ASVS-3_3_1. Session termination
• CWE-6. Misconfiguration - Insufficient session-ID length
• CWE-384. Session fixation
• ASVS-3_2_1. Session binding
• ASVS-4_2_2. Operation level access control
• OWASPAPI-API1. Broken Object Level Authorization
• CASA-3_3_1. Session Termination
• CASA-4_2_2. Operation Level Access Control
• CWE25-287. Improper authentication

Weaknesses

• 280 – Session Fixation
• 337 – Insecure session management - CSRF Fixation
• 387 – Insecure service configuration - Object Reutilization
• 449 – Insecure authentication method
• 015 – Insecure authentication method - Basic
• 076 – Insecure session management

Last updated

2024/02/05