Web Application Security
Re: Web Application Vulnerability Categorization Apr 01 2014 06:27PM
Seth Art (sethsec gmail com) (1 replies)
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery
Mechanism for Forgotten Password -
http://cwe.mitre.org/data/definitions/640.html

-Seth

On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> m0nk,
>
> This CWE fits pretty closely: CWE-640: Weak Password Recovery Mechanism for
> Forgotten Password - http://cwe.mitre.org/data/definitions/640.html
>
> -Seth
>
>
> On Mon, Mar 31, 2014 at 10:09 PM, m@d m0nk <th3madm0nk (at) gmail (dot) com [email concealed]> wrote:
>>
>> Hello Team,
>>
>> Greetings!!!.
>>
>> I have a web app with a password recovery option. There is a secret
>> question and if the user enters the correct answer to the secret
>> question, the username and password is provided to the user.
>>
>> If the password recover page / module allows multiple tries
>> (brute-force and no CAPTCHA or similar mechanism), can we categorize
>> this vulnerability under "Broken Authentication and Session
>> Management" or does this fall under any other Vulnerability Category /
>> OWASP Top 10?
>>
>> Thanks in advance.
>>
>> ch33rs,
>>
>> --
>>
>> __| madm0nk |__
>> th3 sib3rian m0nk
>> --------------------------
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Web Application Vulnerability Categorization Apr 02 2014 08:38PM
Dave Ferguson (gmdavef gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus