Web Application Security
Re: Web Application Vulnerability Categorization Apr 02 2014 06:36PM
m@d m0nk (th3madm0nk gmail com)
Thank you guys - got the idea.

On Wed, Apr 2, 2014 at 7:10 PM, Eric Schultz <fire0088 (at) gmail (dot) com [email concealed]> wrote:
> Its important to note that you described two different findings.
>
> 1. Password recovery is brute forcable. If you stuck with owasp, the broken
> auth catagory is the best fit. Check if your client has an account lockout
> policy. Policy violations may be taken more seriously. Seth listed the
> correct cwe if you go that way too.
>
> 2. Passwords in database stored in clear text or reversible format. If you
> can see the password, one of the two is happening. Best practice is that
> passwords should be stored as hashes (nonreversable encryption).
>
> -Eric
>
> On Apr 1, 2014 2:25 AM, "m@d m0nk" <th3madm0nk (at) gmail (dot) com [email concealed]> wrote:
>>
>> Hello Team,
>>
>> Greetings!!!.
>>
>> I have a web app with a password recovery option. There is a secret
>> question and if the user enters the correct answer to the secret
>> question, the username and password is provided to the user.
>>
>> If the password recover page / module allows multiple tries
>> (brute-force and no CAPTCHA or similar mechanism), can we categorize
>> this vulnerability under "Broken Authentication and Session
>> Management" or does this fall under any other Vulnerability Category /
>> OWASP Top 10?
>>
>> Thanks in advance.
>>
>> ch33rs,
>>
>> --
>>
>> __| madm0nk |__
>> th3 sib3rian m0nk
>> --------------------------
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>

--

__| madm0nk |__
th3 sib3rian m0nk
--------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus