Change the text for cards belonging to VE, AT & SM to align them with modern authentication and session management practices#2710
Change the text for cards belonging to VE, AT & SM to align them with modern authentication and session management practices#2710
Conversation
… modern authentication and session management practices
Build artifacts:
Translation Check ReportThe following sentences/tags have issues in the translations: SpanishFile: Untranslated TagsThe following tags have identical text to English (not translated): T00105, T00140 RussianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00001, T00003, T00004, T00090, T00100, T00105, T00210, T00220, T00230, T00240, T00250, T00260, T00270, T00280, T00290, T00300, T00310, T00320, T00330, T00340, T00350, T00360, T00370, T00380, T00390, T00400, T00410, T00420, T00430, T00440, T00450, T00460, T00470, T00480 RussianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00020, T00120, T00130, T00220, T00240, T00310, T00311, T00320, T00330, T00340, T00350, T00360, T00370, T00380, T00390, T00400, T00510, T00520, T00530, T00610, T01010, T01070, T01160, T01170, T01180, T01200, T01210, T01220, T01301, T01411, T02680, T02690, T02700, T02710, T02720, T02730, T02780, T03010 RussianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00020, T00120, T00130, T00220, T00240, T00310, T00311, T00320, T00330, T00340, T00350, T00360, T00370, T00380, T00390, T00400, T00510, T00520, T00530, T00610, T01010, T01070, T01160, T01170, T01180, T01200, T01210, T01220, T01301, T01411, T02680, T02690, T02700, T02710, T02720, T02730, T02780, T03010 SpanishFile: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00020, T00030, T00380, T01590, T02940, T03140, T03160, T03180, T03200, T03210, T03220, T03230, T03250, T03270, T03280, T03290, T03300, T03310, T03320, T03330, T03340, T03360, T03370, T03380, T03390, T03400, T03410, T03430, T03440, T03450, T03460, T03480, T03500, T03510, T03520, T03530, T03550, T03560, T03570, T03590, T03600, T03610, T03620, T03630, T03640, T03650, T03660, T03670, T03680, T03690, T03700, T03720, T03771, T03773, T03775, T03800, T03810, T03820, T03830, T03840, T03850, T03860, T03870, T03900, T03940, T03950 FrenchFile: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00200, T01100, T03110, T03120, T03771, T03773, T03775 HungarianFile: Missing TagsThe following tags are present in the English version but missing in this translation: T00005, T00161, T00162, T01301, T01311, T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00020, T00030, T00140, T00145, T00200, T00210, T00220, T00230, T00240, T00300, T00320, T00340, T00350, T00360, T00370, T00380, T00390, T00400, T00500, T00510, T00520, T00600, T00610, T00700, T00710, T00720, T00730, T00740, T00750, T00760, T00770, T00780, T00790, T00800, T00810, T00830, T00840, T00900, T00910, T00920, T01000, T01020, T01060, T01100, T01110, T01120, T01130, T01140, T01150, T01160, T01170, T01190, T01200, T01240, T01250, T01260, T01270, T01280, T01290, T01300, T01400, T01410, T01420, T01430, T01431, T01440, T01450, T01500, T01510, T01520, T01530, T01540, T01550, T01560, T01570, T01571, T01580, T01590, T01600, T01610, T01700, T01710, T01720, T01730, T01740, T01800, T01810, T01811, T01820, T01900, T01910, T01920, T01930, T01940, T01960, T01970, T01980, T02000, T02010, T02020, T02030, T02040, T02100, T02120, T02140, T02200, T02220, T02240, T02250, T02260, T02280, T02290, T02300, T02310, T02320, T02340, T02400, T02410, T02420, T02440, T02450, T02460, T02480, T02490, T02500, T02510, T02520, T02540, T02600, T02610, T02620, T02630, T02650, T02680, T02690, T02700, T02710, T02720, T02730, T02760, T02770, T02790, T02800, T02810, T02820, T02840, T02850, T02860, T02870, T02880, T02890, T02900, T02910, T02920, T02930, T02940, T02950, T02960, T02970, T02980, T02990, T03000, T03020, T03100, T03110, T03120, T03140, T03160, T03200, T03210, T03220, T03230, T03250, T03270, T03280, T03290, T03300, T03310, T03320, T03330, T03340, T03360, T03370, T03380, T03390, T03400, T03410, T03430, T03450, T03460, T03480, T03500, T03510, T03520, T03530, T03550, T03560, T03570, T03590, T03600, T03610, T03620, T03630, T03640, T03650, T03660, T03670, T03680, T03690, T03700, T03720, T03740, T03760, T03771, T03773, T03775, T03800, T03810, T03820, T03830, T03840, T03900, T03920, T03950 ItalianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T02940, T03250, T03771, T03773, T03775 DutchFile: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00500, T03771, T03773, T03775 NorwegianFile: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00380, T01700, T03140, T03160, T03180, T03200, T03210, T03220, T03230, T03250, T03270, T03280, T03290, T03300, T03310, T03320, T03330, T03340, T03360, T03370, T03380, T03390, T03400, T03410, T03430, T03440, T03450, T03460, T03480, T03500, T03510, T03520, T03530, T03550, T03560, T03570, T03590, T03600, T03610, T03620, T03630, T03640, T03650, T03660, T03670, T03680, T03690, T03700, T03771, T03773, T03775 Portuguese (Brazil)File: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00380, T02250, T02290, T02310, T02450, T02490, T02510, T03100, T03110, T03120, T03140, T03160, T03180, T03200, T03210, T03220, T03230, T03250, T03270, T03280, T03290, T03300, T03310, T03320, T03330, T03340, T03360, T03370, T03380, T03390, T03400, T03410, T03430, T03440, T03450, T03460, T03480, T03500, T03510, T03520, T03530, T03550, T03560, T03570, T03590, T03600, T03610, T03620, T03630, T03640, T03650, T03660, T03670, T03680, T03690, T03700, T03720, T03771, T03773, T03775 Portuguese (Portugal)File: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T03771, T03773, T03775 RussianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T01411, T03771, T03773, T03775 FrenchFile: Missing TagsThe following tags are present in the English version but missing in this translation: T01411 Untranslated TagsThe following tags have identical text to English (not translated): T00200, T01100, T03110, T03120 ItalianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T02940, T03250 DutchFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T02270, T02290, T03250 NorwegianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380, T01700, T03140, T03160, T03180, T03200, T03210, T03220, T03230, T03250, T03270, T03280, T03290, T03300, T03310, T03320, T03330, T03340, T03360, T03370, T03380, T03390, T03400, T03410, T03430, T03440, T03450, T03460, T03480, T03500, T03510, T03520, T03530, T03550, T03560, T03570, T03590, T03600, T03610, T03620, T03630, T03640, T03650, T03660, T03670, T03680, T03690, T03700 Portuguese (Brazil)File: Untranslated TagsThe following tags have identical text to English (not translated): T00330, T00340, T00350, T00360, T00370, T00380, T02240, T02260, T02280, T02300, T02320, T02340, T02440, T02460, T02480, T02500, T02520, T02540 Portuguese (Portugal)File: Untranslated TagsThe following tags have identical text to English (not translated): T00380 RussianFile: Untranslated TagsThe following tags have identical text to English (not translated): T00380 |
There was a problem hiding this comment.
Pull request overview
Updates the OWASP Cornucopia WebApp v3.0 card content (and one mapping entry) to better reflect modern authentication and session management concepts (tokens, MFA/passkeys, replay/PoP, session controls).
Changes:
- Refreshes multiple Session Management (SM) card scenarios/mitigations to include modern token/session threats and defenses.
- Updates Authentication (AT) and Data Validation & Encoding (VE) card text to reference newer patterns (e.g., passkeys, JWTs, client-side injection context).
- Adjusts the STRIDE mapping metadata for SM8 in the webapp mappings YAML.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 17 comments.
Show a summary per file
| File | Description |
|---|---|
| source/webapp-mappings-3.0.yaml | Updates SM8 STRIDE mapping fields. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SMJ/explanation.md | Reworks replay attack explanation/mitigations around tokens/PoP. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM9/explanation.md | Expands session identifier theft guidance to include tokens/caching/storage guidance. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM8/explanation.md | Revises long-session scenario and STRIDE mapping text; adds additional mitigations. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM7/explanation.md | Adds guidance about terminating sessions after credential changes. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM4/explanation.md | Broadens cross-domain/session misuse scenario to include token audience/refresh token considerations. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM3/explanation.md | Rewrites concurrent session scenario with user session visibility/controls emphasis. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/session-management/SM2/explanation.md | Updates session ID/token generation scenario and adds a JWT-related example. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/data-validation-&-encoding/VEX/explanation.md | Clarifies client-side state integrity example to include JWTs. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/data-validation-&-encoding/VEQ/technical-note.md | Clarifies client-side injection context with an XSS example mention. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/authentication/AT9/explanation.md | Updates weak auth examples to include passkeys and email-as-MFA wording. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/authentication/AT7/explanation.md | Generalizes example wording from password-only to broader auth requirements. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/authentication/AT6/explanation.md | Updates temporary credential example to include MFA codes. |
| cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/authentication/AT3/explanation.md | Updates “secret acquisition” examples to include MFA codes/biometrics wording. |
| @@ -1,12 +1,15 @@ | |||
| ## Scenario: Ryan’s Exploitation of Concurrent Sessions | |||
| ## Scenario: Ryan’s Exploitation of a Poorly Implemented Sessions Magement System | |||
There was a problem hiding this comment.
Typo in the heading: "Sessions Magement" should be "Session Management" (and likely singular "Session" rather than "Sessions").
| ## Scenario: Ryan’s Exploitation of a Poorly Implemented Sessions Magement System | |
| ## Scenario: Ryan’s Exploitation of a Poorly Implemented Session Management System |
| Imagine a scenario where Ryan takes advantage of a system that doesn't sufficiently give the user the overview of their active sessions, and allows multiple concurrent sessions without proper controls. He exploits the following vulnerabilities: | ||
|
|
||
| 1. **Allowance of Multiple Active Sessions:** The system permits one user account to be logged in from multiple devices or locations at the same time. | ||
| 1. **Allowance of Multiple Active Sessions:** The system does not give the user an overview over which devices that are logged in. This allowes Ryan to log in on a device while the legitimate user is also active, without the user being aware of it. |
There was a problem hiding this comment.
Spelling mistake in "This allowes Ryan"; should be "allows".
| 1. **Allowance of Multiple Active Sessions:** The system does not give the user an overview over which devices that are logged in. This allowes Ryan to log in on a device while the legitimate user is also active, without the user being aware of it. | |
| 1. **Allowance of Multiple Active Sessions:** The system does not give the user an overview over which devices that are logged in. This allows Ryan to log in on a device while the legitimate user is also active, without the user being aware of it. |
| 1. **Insufficient Domain and Path Restrictions:** The web application does not adequately restrict the domain and path for which its cookies are valid. | ||
| 2. **Lack of Secure Cookie Attributes:** The application fails to use secure attributes (e.g., Secure, HttpOnly, SameSite) for its cookies, making them vulnerable to manipulation and cross-site attacks. | ||
| 3. **Inadequate Token Audience Validation:** The application does not properly validate the audience claims in tokens, allowing them to be used across different applications or contexts. | ||
| 4. **Absence of strong secret management:** The client is incapable of securly storing refresh tokens or cookies, making them vulnerable to theft and misuse. |
There was a problem hiding this comment.
Typo: "securly" should be "securely".
| 4. **Absence of strong secret management:** The client is incapable of securly storing refresh tokens or cookies, making them vulnerable to theft and misuse. | |
| 4. **Absence of strong secret management:** The client is incapable of securely storing refresh tokens or cookies, making them vulnerable to theft and misuse. |
| William infiltrates a web application's session management system. He manipulates the session ID generation algorithm to produce predictable IDs. For instance, he sets the IDs to increment sequentially. With this knowledge, William easily predicts and hijacks active sessions by guessing the next valid session ID, gaining unauthorized access to user accounts and sensitive data. | ||
| Or, he finds an unprotected endpoint (e.g: cache) with JWT tokens and use them to create new tokens with a different payload, but the same signature, allowing him to impersonate other users or escalate privileges. |
There was a problem hiding this comment.
The JWT example is technically incorrect: you generally cannot "create new tokens with a different payload, but the same signature" unless the signing key is compromised or there is a verification flaw (e.g., algorithm/key confusion). If the issue is token leakage from a cache/endpoints, the realistic impact is token replay/impersonation; if the issue is token forgery, describe the prerequisite (broken verification or key compromise).
| 2. Regularly check and update user privileges within active sessions to ensure they reflect current permissions. | ||
| 3. Consider introducing shorter session timeouts for highly sensitive applications, requiring users to re-authenticate more frequently. | ||
| 4. Implement additional controls such as geolocation checks, enforced client fingerprinting, or anomaly detection to identify and mitigate potential session hijacking. |
There was a problem hiding this comment.
The mitigations mention "enforced client fingerprinting". Fingerprinting is typically privacy-sensitive and brittle (easy to evade, can lock out legitimate users). Consider rephrasing this as "risk-based signals" and prioritizing step-up auth (e.g., re-auth/MFA) or device-bound credentials instead of suggesting fingerprinting as a control.
| Imagine a situation where Claudia, exploiting insufficient authentication protocols, gains access to critical functions within a system. This occurs due to: | ||
|
|
||
| 1. **Weak Authentication Standards:** The system lacks robust authentication methods, such as two-factor authentication (2FA), relying only on basic password entry. | ||
| 1. **Weak Authentication Standards:** The system lacks robust authentication methods, such as passkeys or two-factor authentication (2FA), relying only on basic password entry or uses email as a MFA method. |
There was a problem hiding this comment.
Wording/grammar: "uses email as a MFA method" is unclear and reads as a typo. Consider rephrasing to clarify the security point (e.g., email OTP as a weak/low-assurance second factor) and fix the article ("an MFA").
| 1. **Weak Authentication Standards:** The system lacks robust authentication methods, such as passkeys or two-factor authentication (2FA), relying only on basic password entry or uses email as a MFA method. | |
| 1. **Weak Authentication Standards:** The system lacks robust authentication methods, such as passkeys or two-factor authentication (2FA), relying only on basic password entry or on low-assurance methods such as email one-time passcodes (email-based “MFA”). |
| ## Scenario: William's Control Over Session Identifier Generation | ||
|
|
||
| Envision a scenario where William, exploiting a critical aspect of session management, gains control over the generation of session identifiers. He leverages this control to: | ||
| Envision a scenario where William, exploiting a critical aspect of session management, gains control over the generation of session identifiers of authorization tokens. He leverages this control to: |
There was a problem hiding this comment.
Grammar issue: "session identifiers of authorization tokens" reads like a missing conjunction. Consider changing to "session identifiers or authorization tokens".
| Envision a scenario where William, exploiting a critical aspect of session management, gains control over the generation of session identifiers of authorization tokens. He leverages this control to: | |
| Envision a scenario where William, exploiting a critical aspect of session management, gains control over the generation of session identifiers or authorization tokens. He leverages this control to: |
| Jeff can reuse stolen session identifiers and/or tokens because they are not handled confidentially or because there is no strong proof of possession (e.g. binding to certificate, device, IP address, user-agent, etc.) | ||
|
|
||
| 1. **Lack of Replay Attack Protection:** The system does not have mechanisms to detect and reject duplicate submissions of the same action. | ||
| Consider a scenario where Jeff exploits a system vulnerability that allows him to reuse stolen session identifiers or tokens without any checks for their validity or proof of possession. This issue arises because the system does not have mechanisms to detect and reject forged or replayed session identifiers or tokens, allowing attackers to reuse them for unauthorized access or actions. | ||
|
|
||
| 1. **Lack of Confidential Handling:** Session identifiers or tokens are not treated as sensitive information, leading to their exposure and potential theft. | ||
| 2. **Absence of Proof of Possession:** The system does not require any form of proof that the session identifier or token is being used by the legitimate owner, such as binding it to a specific device, IP address, user-agent, or using cryptographic methods. | ||
| 3. **No Detection of Reuse:** The system does not have mechanisms to detect and reject replayed session identifiers or tokens, allowing attackers to reuse them for unauthorized access or actions. |
There was a problem hiding this comment.
The examples of “proof of possession” here include IP address and user-agent, which are not strong proof-of-possession signals (they’re spoofable/brittle and often change legitimately). Consider updating this to focus on stronger mechanisms (e.g., mTLS sender-constrained tokens, DPoP, token binding/device-bound credentials) and, if IP/UA are mentioned, frame them as supplemental risk signals rather than PoP.
| ### Example | ||
|
|
||
| Matt gains access to an employee’s account in a corporate system early in the day. Throughout the day, the employee’s access rights are revoked due to a change in their employment status. However, since the system does not require re-authentication or check for privilege changes during active sessions, Matt continues to have access to sensitive information and system functionalities all day, exploiting the unchanged session privileges. | ||
| Matt gains access to an employee’s account after stealing an unlocked computer at a train station early in the morning. Later that day, the employee’s access rights gets revoked after the employee notifies the IT department. However, since the system does not require re-authentication, check for privilege changes during active sessions, or implement other controls like geolocation checks, enforced client fingerprinting, or anomaly detection, Matt can continue to have access to sensitive information and system functionalities all day, exploiting the unchanged session privileges. |
There was a problem hiding this comment.
Grammar issue: "access rights gets revoked" should be "access rights get revoked".
| Matt gains access to an employee’s account after stealing an unlocked computer at a train station early in the morning. Later that day, the employee’s access rights gets revoked after the employee notifies the IT department. However, since the system does not require re-authentication, check for privilege changes during active sessions, or implement other controls like geolocation checks, enforced client fingerprinting, or anomaly detection, Matt can continue to have access to sensitive information and system functionalities all day, exploiting the unchanged session privileges. | |
| Matt gains access to an employee’s account after stealing an unlocked computer at a train station early in the morning. Later that day, the employee’s access rights get revoked after the employee notifies the IT department. However, since the system does not require re-authentication, check for privilege changes during active sessions, or implement other controls like geolocation checks, enforced client fingerprinting, or anomaly detection, Matt can continue to have access to sensitive information and system functionalities all day, exploiting the unchanged session privileges. |
| @@ -43,5 +45,7 @@ Protect session identifiers as if they are account credentials. For HTTP cookies | |||
| 5. Set the 'secure' attribute for cookies transmitted over an TLS connection. | |||
There was a problem hiding this comment.
Grammar: "over an TLS connection" should be "over a TLS connection".
| 5. Set the 'secure' attribute for cookies transmitted over an TLS connection. | |
| 5. Set the 'secure' attribute for cookies transmitted over a TLS connection. |
Description
Change the text for cards belonging to VE, AT & SM to align them with modern authentication and session management practices.
The purpose is to give v3.0 a lift.
AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation