From 19678ef576301a7eb5598fd6e74bc198e9ac4ca5 Mon Sep 17 00:00:00 2001 From: wstgbot <62450690+wstgbot@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:50:54 +0000 Subject: [PATCH] Publish Latest 2024-12-20 Updates based on OWASP/wstg@0da9065 --- _data/latest.yaml | 4 ++-- ...licy.md => 07-Testing_for_Weak_Authentication_Methods.md} | 5 ++++- ...ting_for_Weak_Password_Change_or_Reset_Functionalities.md | 2 +- .../04-Authentication_Testing/README.md | 2 +- .../04-Authentication_Testing/index.md | 2 +- latest/README.md | 2 +- latest/index.md | 2 +- 7 files changed, 11 insertions(+), 8 deletions(-) rename latest/4-Web_Application_Security_Testing/04-Authentication_Testing/{07-Testing_for_Weak_Password_Policy.md => 07-Testing_for_Weak_Authentication_Methods.md} (81%) diff --git a/_data/latest.yaml b/_data/latest.yaml index cdf0be89..ad8cd16b 100644 --- a/_data/latest.yaml +++ b/_data/latest.yaml @@ -190,8 +190,8 @@ docs: - title: '4.4.6 Testing for Browser Cache Weaknesses' url: 4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses -- title: '4.4.7 Testing for Weak Password Policy' - url: 4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy +- title: '4.4.7 Testing for Weak Authentication Methods' + url: 4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods - title: '4.4.8 Testing for Weak Security Question Answer' url: 4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer diff --git a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md similarity index 81% rename from latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md rename to latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md index aa0302a2..99baaba8 100644 --- a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md +++ b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md @@ -7,7 +7,7 @@ tags: WSTG --- {% include breadcrumb.html %} -# Testing for Weak Password Policy +# Testing for Weak Authentication Methods |ID | |------------| @@ -17,6 +17,8 @@ tags: WSTG The most prevalent and most easily administered authentication mechanism is a static password. The password represents the keys to the kingdom, but is often subverted by users in the name of usability. In each of the recent high profile hacks that have revealed user credentials, it is lamented that most common passwords are still: `123456`, `password` and `qwerty`. +Additionally, applications may utilize alternative credentials that are treated the same as a password, but are considerably weaker, such as a birthdates, social security numbers, PINs, or security questions. In some scenarios, these more easily guessed credentials may act as the only user supplied value for authentication. + ## Test Objectives - Determine the resistance of the application against brute force password guessing using available password dictionaries by evaluating the length, complexity, reuse, and aging requirements of passwords. @@ -32,6 +34,7 @@ The most prevalent and most easily administered authentication mechanism is a st 6. Is the user prevented from using his username or other account information (such as first or last name) in the password? 7. What are the minimum and maximum password lengths that can be set, and are they appropriate for the sensitivity of the account and application? 8. Is it possible to set common passwords such as `Password1` or `123456`? +9. Is the credential chosen for the user by the application, such as a social security number or a birthdate? Is the credential that's utilized in lieu of a standard password easily obtainable, predictable, or susceptible to brute-force attacks? ## Remediation diff --git a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md index 4380c410..fcad78bf 100644 --- a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md +++ b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md @@ -190,7 +190,7 @@ Once the user has proved their identity (either through a password reset link, a - Is a strong and effective password policy applied? - The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) guide for further information. + The password policy should be consistent across the registration, password change, and password reset functionality. See the [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) guide for further information. ## References diff --git a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md index fe8945db..c8bca83c 100644 --- a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md +++ b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/README.md @@ -21,7 +21,7 @@ tags: WSTG 4.4.6 [Testing for Browser Cache Weaknesses](06-Testing_for_Browser_Cache_Weaknesses.md) -4.4.7 [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) +4.4.7 [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) 4.4.8 [Testing for Weak Security Question Answer](08-Testing_for_Weak_Security_Question_Answer.md) diff --git a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/index.md b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/index.md index fe8945db..c8bca83c 100644 --- a/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/index.md +++ b/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/index.md @@ -21,7 +21,7 @@ tags: WSTG 4.4.6 [Testing for Browser Cache Weaknesses](06-Testing_for_Browser_Cache_Weaknesses.md) -4.4.7 [Testing for Weak Password Policy](07-Testing_for_Weak_Password_Policy.md) +4.4.7 [Testing for Weak Authentication Methods](07-Testing_for_Weak_Authentication_Methods.md) 4.4.8 [Testing for Weak Security Question Answer](08-Testing_for_Weak_Security_Question_Answer.md) diff --git a/latest/README.md b/latest/README.md index 29b92c35..310bd57b 100644 --- a/latest/README.md +++ b/latest/README.md @@ -135,7 +135,7 @@ tags: WSTG #### 4.4.6 [Testing for Browser Cache Weaknesses](4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md) -#### 4.4.7 [Testing for Weak Password Policy](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md) +#### 4.4.7 [Testing for Weak Authentication Methods](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md) #### 4.4.8 [Testing for Weak Security Question Answer](4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.md) diff --git a/latest/index.md b/latest/index.md index 29b92c35..310bd57b 100644 --- a/latest/index.md +++ b/latest/index.md @@ -135,7 +135,7 @@ tags: WSTG #### 4.4.6 [Testing for Browser Cache Weaknesses](4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md) -#### 4.4.7 [Testing for Weak Password Policy](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Password_Policy.md) +#### 4.4.7 [Testing for Weak Authentication Methods](4-Web_Application_Security_Testing/04-Authentication_Testing/07-Testing_for_Weak_Authentication_Methods.md) #### 4.4.8 [Testing for Weak Security Question Answer](4-Web_Application_Security_Testing/04-Authentication_Testing/08-Testing_for_Weak_Security_Question_Answer.md)