Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Web Application Vulnerability Categorization
From: Dave Ferguson <gmdavef () gmail com>
Date: Wed, 2 Apr 2014 15:38:09 -0500

In terms of OWASP Top Ten, yes - I would categorize it under Broken
Auth & Session Management.

Also, check out the OWASP cheat sheet on this topic for helpful
remediation advice.
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Dave

On Tue, Apr 1, 2014 at 1:27 PM, Seth Art <sethsec () gmail com> wrote:
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery
Mechanism for Forgotten Password -
http://cwe.mitre.org/data/definitions/640.html

-Seth

On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec () gmail com> wrote:
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery Mechanism for
Forgotten Password - http://cwe.mitre.org/data/definitions/640.html

-Seth


On Mon, Mar 31, 2014 at 10:09 PM, m () d m0nk <th3madm0nk () gmail com> wrote:

Hello Team,

Greetings!!!.

I have a web app with a password recovery option. There is a secret
question and if the user enters the correct answer to the secret
question, the username and password is provided to the user.

If the password recover page / module allows multiple tries
(brute-force and no CAPTCHA or similar mechanism), can we categorize
this vulnerability under "Broken Authentication and Session
Management" or does this fall under any other Vulnerability Category /
OWASP Top 10?

Thanks in advance.

ch33rs,

--

__| madm0nk |__
th3 sib3rian m0nk
--------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault