Determine whether the password change and reset functionality allows accounts to be compromised.
WSTG-ATHN-09: Testing for Weak Password Change or Reset Functionalities (OWASP Testing Guide)
Testing
Test “Password change” functionality
- Current password should be requested. Try removing the parameter if it is present. If it works, try CSRF and make a PoC to take over the account.
- Verify that you cannot bruteforce another user’s password from a password change request
- Check password policy.
- If password complexity is enforced on client-side only, report it as informational as it is unlikely that someone would want to set a very weak password on purpose.
Test “Forgot Password” functionality
- The token should be unpredictable.
- There should not be a username (or try to change the username to reset other users’ password).
- Account Enumeration and Guessable User Account (WSTG-IDNT-04)
Password Reset Poisoning
đź’ˇ Password Reset Poisoning is part of Host Header Injection (WSTG-INPV-17).
Reporting (Password change)
CVSS Score v3 | 2.1 |
CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
English
Title | Password change does not require current password |
Description | |
Steps to reproduce | |
Remediation |
French
Title | Ancien mot de passe non requis lors du changement du mot de passe |
Description | L’ancien mot de passe est habituellement requis lors du changement de mot de passe (fonctionnalitĂ© sensible). L’application ne requiert pas le mot de passe actuel pour le modifier. Une personne mal intentionnĂ©e qui a physiquement accès Ă l’ordinateur d’une autre personne (poste dĂ©verrouillĂ©) ou qui rĂ©ussit Ă usurper la session d’un autre utilisateur peut changer son mot de passe et obtenir le contrĂ´le du compte utilisateur. |
Steps to reproduce | |
Remediation | Il est recommandĂ© de demander l’ancien mot de passe dans le formulaire du changement de mot de passe. La difficultĂ© de correction est Ă©valuĂ©e Ă “Simple”. |