Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix 1151-2: Added section & info surrounding re-authN for sensitive functionality / identity changes. #1179

Merged
merged 3 commits into from
Jan 10, 2025
Merged

Fix 1151-2: Added section & info surrounding re-authN for sensitive functionality / identity changes. #1179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
adccf41
Added Identity + Config Change Section
alp1n3-eth Jan 6, 2025
4649da5
Added Self to Editors
alp1n3-eth Jan 6, 2025
8601e4f
Update document/4-Web_Application_Security_Testing/04-Authentication_…
kingthorin Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions document/1-Frontispiece/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ This document is released under the [Creative Commons 4.0 License](https://creat
- Asharaf Ali
- Elie Saad
- Eoin Murphy
- Evan Read (alp1n3-eth)
- Francisco Bustos
- frozensolid
- Hsiang-Chih Hsu
Expand Down
8 changes: 7 additions & 1 deletion ...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,9 +163,15 @@ Rather than sending them a link or new password, security questions can be used

See the [Testing for Weak Security Questions](08-Testing_for_Weak_Security_Question_Answer.md) guide for further information.

### Authenticated Identity and Configuration Changes

If the application supports the ability to modify an account's primary identifier (such as an email address or phone number) that is utilized in the password change and reset functionalities the user should be forced to re-authenticate. When the primary identifier used in the password change functionality is able to be modified without re-authentication it allows the re-authentication in the password change functionality to be bypassed. Overall, anything that impacts the security of the account (email, MFA, backup settings, etc.) should require re-authentication before it can be modified.

For example: An application has a password reset flow that sends a reset link to the account's email address. The application also requires re-authentication if the password is attempted to be changed from the perspective of an authenticated user. If an attacker gains access to the account (via a stolen cookie, physical access to the computer, etc.) and changes the account's email address without needing to re-authenticate, then the password reset flow can be used to change the password, bypassing the authenticated password change flow.

### Authenticated Password Changes

Once the user has proved their identity (either through a password reset link, a recovery code, or by logging in on the application) they should be able to change their password. The key area to test are:
Once the user has proved their identity (either through a password reset link, a recovery code, or by logging in on the application) they should be able to change their password. The key areas to test are:

- When setting the password, can you specify the user ID?

Expand Down
Loading