Difference between revisions of "Testing for Vulnerable Remember Password (OWASP-AT-006)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...")
 
Line 2: Line 2:
  
  
== Brief Summary ==
+
== Summary ==
<br>
+
 
..here: we describe in "natural language" what we want to test.
+
The remember password function of an application is a self-service password reset/recovery mechanism for users. This self-service mechanism allows users to quickly reset/recover their password without an administrator intervening. Typically, in order to access this functionality the user must enter some form of identification, such as their username or email address.  
<br>
+
 
== Description of the Issue ==  
+
== Test objectives ==
<br>
+
 
...here: Short Description of the Issue: Topic and Explanation
+
Evaluate the remember password function's user identification requirements. e.g. username, email address, security question
<br>
+
 
== Black Box testing and example ==
+
Evaluate the method for how the reset/recovered password is communicated to the user
'''Testing for Topic X vulnerabilities:''' <br>
+
 
...<br>
+
Evaluate the logic/workflow for how the password is reset/recovered
'''Result Expected:'''<br>
+
 
...<br><br>
+
== How to test ==
 +
 
 +
# Evaluate the level of identification that is required by the user to trigger a reset/recovery
 +
# Observe how the reset/recovered password is communicated to the user. e.g. email, rendered by browser
 +
# Observe what steps are required to reset/recover password and what can be injected and falsified during this exchange
 +
 
 +
=== Example ===
 +
 
 +
 
 +
 
 +
== Tools ==
 +
 
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
 
...<br>
+
 
'''Tools'''<br>
+
== Remediation ==
...<br>
+
 
 +
Implement additional identification requirements depending on the risk level. In order from lowest to highest assurance:
 +
 
 +
# username
 +
# security question
 +
# email address
 +
# username and email address and security question
 +
# positive identification based on physical attendance of user
 +
 
 +
Implement additional security to the transfer of the password to the user depending on the risk level. In order from lowest to highest assurance:
 +
 
 +
# Rendered by browser
 +
# Unencrypted email
 +
# Manually processed based on positive user identification and physically transferred by certified post or courier to user

Revision as of 09:36, 6 November 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Summary

The remember password function of an application is a self-service password reset/recovery mechanism for users. This self-service mechanism allows users to quickly reset/recover their password without an administrator intervening. Typically, in order to access this functionality the user must enter some form of identification, such as their username or email address.

Test objectives

Evaluate the remember password function's user identification requirements. e.g. username, email address, security question

Evaluate the method for how the reset/recovered password is communicated to the user

Evaluate the logic/workflow for how the password is reset/recovered

How to test

  1. Evaluate the level of identification that is required by the user to trigger a reset/recovery
  2. Observe how the reset/recovered password is communicated to the user. e.g. email, rendered by browser
  3. Observe what steps are required to reset/recover password and what can be injected and falsified during this exchange

Example

Tools

References

Remediation

Implement additional identification requirements depending on the risk level. In order from lowest to highest assurance:

  1. username
  2. security question
  3. email address
  4. username and email address and security question
  5. positive identification based on physical attendance of user

Implement additional security to the transfer of the password to the user depending on the risk level. In order from lowest to highest assurance:

  1. Rendered by browser
  2. Unencrypted email
  3. Manually processed based on positive user identification and physically transferred by certified post or courier to user