OWASP ASVS: Testing for Vulnerable Remember Password

srinivasskc · 8 September 2017 13:59

Testing for Vulnerable Remember Password (OTG-AUTHN-005)

Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed.

In below example, Cookie Name is hashed but value is not hashed.
test1234 is password of a login.

As per https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)
does value also needs to be hashed?

utchbe · 12 September 2017 17:56

I don’t have the official answer, but I know if our PCI auditor saw a non-hashed password when viewing a cookie, it would be called out as something that would need to be resolved. If I were the tester on that team I would push for that value to be hashed.

Topic		Replies	Views
OWASP ASVS: Test remember password functionality Archive security	0	2700	13 September 2017
OWASP ASVS: Authentication of User Archive security	1	881	1 May 2020
Can you simply explain a web security risk you think testers should know about? Discussions security , risks	14	237	9 August 2025
How to test for passwordless applications? Archive	2	1303	12 December 2018
Is the following password reset mechanism free from any security concerns? Discussions security , web-testing	9	3121	7 November 2023

OWASP ASVS: Testing for Vulnerable Remember Password

Related topics