Testing for Vulnerable Remember Password and Pwd Reset (OWASP-AT-006)
..here: we describe in "natural language" what we want to test.
Description of the Issue
...here: Short Description of the Issue: Topic and Explanation
Password self-reset tools are quite easy to assess. Their value and security lie in the ability to provide a way for someone to identify themselves to the system with answers to questions that are not easily answerable via personal information lookups.
As an example, a terrible question would be “Mother’s maiden name” since that is something that can be had without extreme effort. An example of a good question would be “favorite grade-school teacher” since this would be a much more difficult topic to research about a person who’s identity may otherwise already be stolen.
Blackbox Testing and Examples
Testing for Topic X vulnerabilities:
The first thing that should be done when testing a password self-reset function is assessing the questions (“secret questions”) presented to the potential password re-setter. Ask yourself whether you could obtain answers to any or all of these questions via a simple Google search on the Internet. Often a self-reset system offers the choice of multiple questions; this is a good sign for the would-be attacker. This presents the attacker with options. As a potential attacker, here is a step-by-step walk through of assessing a password self-reset tool:
- Are there multiple questions offered?
- If so, try to pick a question which would have a “public” answer; for example, something Google would find with a simple query
- Always pick questions which have a factual answer such as a “first school” or other fact which can be looked up
- Look for questions which have few possible options such as “what make was your first car”; this question would present the attacker with a short-list of answers to guess at and based on statistics the attacker could rank answers from most to least likely
- Determine how many guesses you have (if possible)
- Does the password reset too allow you to guess at the answer to the secret question(s) forever?
- Is there a lockout period after X incorrect answers?
- Pick the appropriate question based on analysis from above point, and do research to determine the most likely answers
- How does the password-reset tool (once a successful answer to a question is found) behave?
- Does it allow immediate change of the password?
- Does it display the old password?
- Does it email the password to some pre-defined email address?
- The best scenario here is if the password reset tool shows you the password; this gives you the ability to log into the account without the real user knowing that you’ve obtained access.
- The second-best scenario is if the password reset tool allows you to immediately change your password. While not very stealthy, it gets the job done and gives you access and locks the real user out.
- The worst-case scenario is if the password reset is done via an email to a email address the user initially registered with, or some other email address; this forces you to then to not only guess at which email account the password reset was sent to (unless the application tells you) but you now have to commandeer that account as well making this exercise much more complex.
The key to successfully exploiting and bypassing a password self-reset is to find a question or set of questions which give the possibility of easily acquiring the answers. Always look for questions which can give you the greatest statistical chance of guessing the correct answer, if you are completely unsure of any of the answers. In the end, a password self-reset tool is only as strong as the weakest question.
OWASP Testing Guide v2