Difference between revisions of "Testing for Weak security question/answer (OTG-AUTHN-008)"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
  
 
== Description of the Issue ==  
 
== Description of the Issue ==  
Security questions and answers rely on the secrecy of the answer. Answers should be of the form that are only known by the account holder. However, although a lot of answers may not be publicly known, most of the questions that websites offer promote answers that are pseduo-private. Some examples are below.
+
Security questions and answers rely on the secrecy of the answer. Answers should be of the form that are only known by the account holder. However, although a lot of answers may not be publicly known, most of the questions that websites implement promote answers that are pseduo-private. Some examples are below.
'''Pre-generated questions:''' <br>
+
<br>
The majority of pre-generated questions are fairly simplistic in nature and can generate insecure answers. For example:
+
'''Pre-generated questions:'''
* The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?"
+
<br>
* The answer may be easily guessable.  
+
The majority of pre-generated questions are fairly simplistic in nature and can lead to insecure answers. For example:
 +
* The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?", "What is your date of birth?"
 +
* The answers may be easily guessable, e.g. "What is your favorite color?", "What is your favorite baseball team?"
 +
* The answers may be brute forcible, e.g. "What is the first name of your favorite high school teacher?" - the answer is probably on some easily downloadable lists of popular first names, and therefore a simple brute force attack can be scripted.
 +
* The answers may be publicly discoverable, e.g. "What is your favorite movie?" - the answer may easily be found on the user's social media profile page.
 +
<br>
 +
'''Self-generated questions:'''
 
<br>
 
<br>
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
'''Testing for weak pre-generated questions:'''
...<br>
+
<br>
 +
'''Testing for weak self-generated questions:'''
 +
<br>
 +
'''Testing for brute-forcible answers:'''
 +
<br>
 +
Use the methods described in [[Testing for Weak lock out mechanism (OWASP-AT-004)]] to determine whether a number of incorrectly supplied security answers generates an appropriate lock out mechanism.
 +
<br>
 
'''Result Expected:'''<br>
 
'''Result Expected:'''<br>
 
...<br><br>
 
...<br><br>

Revision as of 00:36, 14 August 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary

Often called "secret" questions and answers, security questions and answers are often used to recover forgotten passwords, or as extra security on top of password.
They are typically generated upon account creation, and require the user to select from some pre-generated questions and supply an appropriate answer, or allow the user to generate their own question and answer pairs. Both methods are prone to insecurities.

Description of the Issue

Security questions and answers rely on the secrecy of the answer. Answers should be of the form that are only known by the account holder. However, although a lot of answers may not be publicly known, most of the questions that websites implement promote answers that are pseduo-private. Some examples are below.
Pre-generated questions:
The majority of pre-generated questions are fairly simplistic in nature and can lead to insecure answers. For example:

  • The answers may be known to family members or close friends of the user, e.g. "What is your mother's maiden name?", "What is your date of birth?"
  • The answers may be easily guessable, e.g. "What is your favorite color?", "What is your favorite baseball team?"
  • The answers may be brute forcible, e.g. "What is the first name of your favorite high school teacher?" - the answer is probably on some easily downloadable lists of popular first names, and therefore a simple brute force attack can be scripted.
  • The answers may be publicly discoverable, e.g. "What is your favorite movie?" - the answer may easily be found on the user's social media profile page.


Self-generated questions:

Black Box testing and example

Testing for weak pre-generated questions:
Testing for weak self-generated questions:
Testing for brute-forcible answers:
Use the methods described in Testing for Weak lock out mechanism (OWASP-AT-004) to determine whether a number of incorrectly supplied security answers generates an appropriate lock out mechanism.
Result Expected:
...

References

Whitepapers
...
Tools
...