# Testing for Vulnerable Remember Password (WSTG-ATHN-05) | ID | | ------------ | | WSTG-ATHN-05 | ## Summary Credentials are the most widely used authentication technology. Due to such a wide usage of username-password pairs, users are no longer able to properly handle their credentials across the multitude of used applications. In order to assist users with their credentials, multiple technologies surfaced: * Applications provide a *remember me* functionality that allows the user to stay authenticated for long periods of time, without asking the user again for their credentials. * Password Managers - including browser password managers - that allow the user to store their credentials in a secure manner and later on inject them in user-forms without any user intervention. ## Test Objectives * Validate that the generated session is managed securely and do not put the user's credentials in danger. ## How to Test As these methods provide a better user experience and allow the user to forget all about their credentials, they increase the attack surface area. Some applications: * Store the credentials in an encoded fashion in the browser's storage mechanisms, which can be verified by following the [web storage testing scenario](https://owasp.boireau.io/4-web_application_security_testing/11-client-side_testing/12-testing_browser_storage) and going through the [session analysis](https://owasp.boireau.io/06-session_management_testing/01-testing_for_session_management_schema#session-analysis) scenarios. Credentials shouldn't be stored in any way in the client-side application, and should be substituted by tokens generated server-side. * Automatically inject the user's credentials that can be abused by: * [ClickJacking](https://owasp.boireau.io/4-web_application_security_testing/11-client-side_testing/09-testing_for_clickjacking) attacks. * [CSRF](https://owasp.boireau.io/4-web_application_security_testing/06-session_management_testing/05-testing_for_cross_site_request_forgery) attacks. * Tokens should be analyzed in terms of token-lifetime, where some tokens never expire and put the users in danger if those tokens ever get stolen. Make sure to follow the [session timeout](https://owasp.boireau.io/4-web_application_security_testing/06-session_management_testing/07-testing_session_timeout) testing scenario. ## Remediation * Follow [session management](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) good practices. * Ensure that no credentials are stored in clear text or are easily retrievable in encoded or encrypted forms in browser storage mechanisms; they should be stored server-side and follow good [password storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) practices. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp.boireau.io/4-web_application_security_testing/04-authentication_testing/05-testing_for_vulnerable_remember_password.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.