Web Application Security
Re: Web Application Vulnerability Categorization Apr 01 2014 06:27PM
Seth Art (sethsec gmail com) (1 replies)
Re: Web Application Vulnerability Categorization Apr 02 2014 08:38PM
Dave Ferguson (gmdavef gmail com)
In terms of OWASP Top Ten, yes - I would categorize it under Broken
Auth & Session Management.

Also, check out the OWASP cheat sheet on this topic for helpful
remediation advice.
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Dave

On Tue, Apr 1, 2014 at 1:27 PM, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> m0nk,
>
> This CWE fits pretty closely: CWE-640: Weak Password Recovery
> Mechanism for Forgotten Password -
> http://cwe.mitre.org/data/definitions/640.html
>
> -Seth
>
> On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
>> m0nk,
>>
>> This CWE fits pretty closely: CWE-640: Weak Password Recovery Mechanism for
>> Forgotten Password - http://cwe.mitre.org/data/definitions/640.html
>>
>> -Seth
>>
>>
>> On Mon, Mar 31, 2014 at 10:09 PM, m@d m0nk <th3madm0nk (at) gmail (dot) com [email concealed]> wrote:
>>>
>>> Hello Team,
>>>
>>> Greetings!!!.
>>>
>>> I have a web app with a password recovery option. There is a secret
>>> question and if the user enters the correct answer to the secret
>>> question, the username and password is provided to the user.
>>>
>>> If the password recover page / module allows multiple tries
>>> (brute-force and no CAPTCHA or similar mechanism), can we categorize
>>> this vulnerability under "Broken Authentication and Session
>>> Management" or does this fall under any other Vulnerability Category /
>>> OWASP Top 10?
>>>
>>> Thanks in advance.
>>>
>>> ch33rs,
>>>
>>> --
>>>
>>> __| madm0nk |__
>>> th3 sib3rian m0nk
>>> --------------------------
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus