Requirements for preventing logic flaws in the authentication procedure of web applications

International audienceEnsuring the security is one of the most daunting challenges that web applications are facing nowadays. Authentication and authorization are two main security fields that web applications must consider to be protected against unauthorized accesses. Various approaches that detect well-known vulnerabilities and flaws exist. However, these approaches mainly focus on detecting input validation flaws. Another kind of flaws that affect web applications are logic flaws, but they lack of considerations. This paper proposes an approach that helps to considering logic flaws in the context of web applications. The goal of the proposal is to strengthen the authentication procedure of web applications and thus enforce the security early in the design phase. We conducted an empirical study in nine well-known web-based applications to demonstrate that logic flaws may put at risk the authentication procedure. The results showed that logic flaws may be either caused by security issues or usability issues. To overcome such flaws, we provide ten relevant requirements that should be followed in the design of an authentication procedure