OWASP ASVS: Testing for Vulnerable Remember Password

(srinivas) #1

Testing for Vulnerable Remember Password (OTG-AUTHN-005)

Look for passwords being stored in a cookie. Examine the cookies stored by the application. Verify that the credentials are not stored in clear text, but are hashed.

In below example, Cookie Name is hashed but value is not hashed.
test1234 is password of a login.

As per https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005)
does value also needs to be hashed?

(Butch Mayhew) #2

I don’t have the official answer, but I know if our PCI auditor saw a non-hashed password when viewing a cookie, it would be called out as something that would need to be resolved. If I were the tester on that team I would push for that value to be hashed.