Wiki.owasp.org

Final edit

← Older revision

Revision as of 18:25, 14 May 2014

Line 4:

Line 4:

 

== Summary ==

 

== Summary ==

 

 

−

The password change
/
reset function of an application is a self-service password change
/
reset mechanism for users. This self-service mechanism allows users to quickly change
/
reset their password without an administrator intervening. When passwords are changed they are typically changed within the application. When passwords are reset they are either rendered within the application or emailed to the user. This may indicate that the passwords are stored in
plaintext
or in a decryptable format.

+

The password change
and
reset function of an application is a self-service password change
or
reset mechanism for users. This self-service mechanism allows users to quickly change
or
reset their password without an administrator intervening. When passwords are changed they are typically changed within the application. When passwords are reset they are either rendered within the application or emailed to the user. This may indicate that the passwords are stored in
plain text
or in a decryptable format.

 

+

 

 

 

 

== Test objectives ==

 

== Test objectives ==

 

 

−

Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account.
<br>

+

#
Determine the resistance of the application to subversion of the account change process allowing someone to change the password of an account.

−

Determine the resistance of the passwords reset functionality against guessing or bypassing.

+

#
Determine the resistance of the passwords reset functionality against guessing or bypassing.

 

+

 

 

 

 

== Black Box Testing and Examples ==

 

== Black Box Testing and Examples ==

 

 

−

For both
functionalities (
password change and password reset
)
it is important to check:

+

For both password change and password reset it is important to check:

−

# if users, other than administrators, can change
/
reset passwords for accounts other than their own.

+

# if users, other than administrators, can change
or
reset passwords for accounts other than their own.

−

# if users can manipulate
/
subvert the password change
/
reset process to change
/
reset the password of another user or administrator.

+

# if users can manipulate
or
subvert the password change
or
reset process to change
or
reset the password of another user or administrator.

−

# if the password change
/
reset process is vulnerable to [[Testing_for_CSRF_(OWASP-SM-005)|CSRF]]

+

# if the password change
or
reset process is vulnerable to [[Testing_for_CSRF_(OWASP-SM-005)|CSRF]]
.

 

+

 

 

 

 

=== Test Password Reset ===

 

=== Test Password Reset ===

Line 23:

Line 26:

 

 

 

* What information is required to reset the password?

 

* What information is required to reset the password?

−

The first step is to check whether secret questions
/information
are required. Sending the password (or a password reset link) to the user email address without first asking for a secret question means relying 100% on the security of that email address, which is not suitable if the application needs a high level of security.<br>

+

The first step is to check whether secret questions are required. Sending the password (or a password reset link) to the user email address without first asking for a secret question means relying 100% on the security of that email address, which is not suitable if the application needs a high level of security.<br>

 

On the other hand, if secret questions are used, the next step is to assess their strength. This specific test is discussed in detail in the [[Testing_for_Weak_security_question/answer_(OTG-AUTHN-008)|Testing for Weak security question/answer]] paragraph of this guide.

 

On the other hand, if secret questions are used, the next step is to assess their strength. This specific test is discussed in detail in the [[Testing_for_Weak_security_question/answer_(OTG-AUTHN-008)|Testing for Weak security question/answer]] paragraph of this guide.

 

<br>

 

<br>

 

* How are reset passwords communicated to the user?

 

* How are reset passwords communicated to the user?

−

The most insecure scenario here is if the password reset tool shows you the password; this gives the attacker the ability to log into the account, and unless the application provides information about the last
login
the victim would not know that
his/her
account has been compromised.<br>

+

The most insecure scenario here is if the password reset tool shows you the password; this gives the attacker the ability to log into the account, and unless the application provides information about the last
log in
the victim would not know that
their
account has been compromised.<br>

−

A less insecure scenario is if the password reset tool forces the user to immediately change
his/her
password. While not as stealthy as the first case, it allows the attacker to gain access and locks the real user out.<br>

+

A less insecure scenario is if the password reset tool forces the user to immediately change
their
password. While not as stealthy as the first case, it allows the attacker to gain access and locks the real user out.<br>

 

The best security is achieved if the password reset is done via an email to the address the user initially registered with, or some other email address; this forces the attacker to not only guess at which email account the password reset was sent to (unless the application show this information) but also to compromise that email account in order to obtain the temporary password or the password reset link.

 

The best security is achieved if the password reset is done via an email to the address the user initially registered with, or some other email address; this forces the attacker to not only guess at which email account the password reset was sent to (unless the application show this information) but also to compromise that email account in order to obtain the temporary password or the password reset link.

 

<br>

 

<br>

−

* Are reset passwords generated randomly
or not
?

+

* Are reset passwords generated randomly?

−

The most insecure scenario here is if the application sends
/
visualizes the old password in clear text because this means that passwords are not stored in a hashed form, which is a security issue in itself.<br>

+

The most insecure scenario here is if the application sends
or
visualizes the old password in clear text because this means that passwords are not stored in a hashed form, which is a security issue in itself.<br>

 

The best security is achieved if passwords are randomly generated with a secure algorithm that cannot be derived.

 

The best security is achieved if passwords are randomly generated with a secure algorithm that cannot be derived.

 

<br>

 

<br>

 

* Is the reset password functionality requesting confirmation before changing the password?

 

* Is the reset password functionality requesting confirmation before changing the password?

−

To limit denial-of-service attacks the application should
send, via e-mail,
a link to the user with a random token, and only if the user visits the link then the reset procedure is completed. This ensures that the current password will still be valid until the reset has been confirmed.

+

To limit denial-of-service attacks the application should
email
a link to the user with a random token, and only if the user visits the link then the reset procedure is completed. This ensures that the current password will still be valid until the reset has been confirmed.

 

<br><br>

 

<br><br>

 

 

Line 44:

Line 47:

 

 

 

* Is the old password requested to complete the change?

 

* Is the old password requested to complete the change?

−

The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session
(s)he
could easily change the victim's password.<br>

+

The most insecure scenario here is if the application permits the change of the password without requesting the current password. Indeed if an attacker is able to take control of a valid session
they
could easily change the victim's password.<br>

 

 

 

See also [[Testing_for_Weak_password_policy_(OWASP-AT-008)|Testing for Weak password policy]] paragraph of this guide.

 

See also [[Testing_for_Weak_password_policy_(OWASP-AT-008)|Testing for Weak password policy]] paragraph of this guide.

 

+

 

 

 

== References ==

 

== References ==

Line 52:

Line 56:

 

* [[Forgot_Password_Cheat_Sheet|OWASP Forgot Password Cheat Sheet]]

 

* [[Forgot_Password_Cheat_Sheet|OWASP Forgot Password Cheat Sheet]]

 

* [[OWASP_Periodic_Table_of_Vulnerabilities_-_Insufficient_Password_Recovery|OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery]]

 

* [[OWASP_Periodic_Table_of_Vulnerabilities_-_Insufficient_Password_Recovery|OWASP Periodic Table of Vulnerabilities - Insufficient Password Recovery]]

 

+

 

 

 

== Remediation ==

 

== Remediation ==

 

 

−

The password change
/
reset function is a sensitive function and requires some form of protection, such as requiring users to re-authenticate or presenting the user with confirmation
dialogs
during the process.

+

The password change
or
reset function is a sensitive function and requires some form of protection, such as requiring users to re-authenticate or presenting the user with confirmation
screens
during the process.