Difference between revisions of "Testing for weak password change or reset functionalities (OTG-AUTHN-009)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...")
 
Line 2: Line 2:
  
  
== Brief Summary ==
+
== Summary ==
<br>
+
 
..here: we describe in "natural language" what we want to test.
+
 
<br>
+
 
== Description of the Issue ==  
+
== Test objectives ==
<br>
+
 
...here: Short Description of the Issue: Topic and Explanation
+
Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account.
<br>
+
 
== Black Box testing and example ==
+
Determine the resistance of reset passwords to guessing.
'''Testing for Topic X vulnerabilities:''' <br>
+
 
...<br>
+
== How to test ==
'''Result Expected:'''<br>
+
 
...<br><br>
+
This test case aligns closely with OTG-AUTHN-007 - Testing for Weak Password Policy
 +
# Can users other than administrators access change/reset passwords for accounts other than their own?
 +
# Can users manipulate/subvert the password change/reset process to change/reset the password of another user or administrator?
 +
# Is the password change/reset process vulnerable to CSRF?
 +
# Are reset passwords generated randomly or using an algorithm the can be derived?
 +
# How are reset passwords communicated to the user?
 +
 
 +
=== Example ===
 +
 
 +
 
 +
 
 +
== Tools ==
 +
 
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
 
...<br>
+
 
'''Tools'''<br>
+
== Remediation ==
...<br>
+
 
 +
The password change/reset function is a sensitive function and requires some form of protection, such as requiring users to re-authenticate or presenting the user with confirmation dialogs during the process.

Revision as of 10:41, 6 November 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


Summary

Test objectives

Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account.

Determine the resistance of reset passwords to guessing.

How to test

This test case aligns closely with OTG-AUTHN-007 - Testing for Weak Password Policy

  1. Can users other than administrators access change/reset passwords for accounts other than their own?
  2. Can users manipulate/subvert the password change/reset process to change/reset the password of another user or administrator?
  3. Is the password change/reset process vulnerable to CSRF?
  4. Are reset passwords generated randomly or using an algorithm the can be derived?
  5. How are reset passwords communicated to the user?

Example

Tools

References

Remediation

The password change/reset function is a sensitive function and requires some form of protection, such as requiring users to re-authenticate or presenting the user with confirmation dialogs during the process.