This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Test Permissions of Guest/Training Accounts (OTG-IDENT-006)

From OWASP
Revision as of 14:35, 5 November 2013 by Andrew Muller (talk | contribs) (Created page with "== Summary == Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required fo...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Summary

Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access. However, these accounts are often modeled on business roles and may be provisioned with access to more functionality than is required for the user.

Test objectives

Evaluate consistency between access policy and guest/training account access permissions


How to test

Example

<insert some images of guest/training account instances>

Tools

References

Remediation

Ensure the application returns consistent generic error messages in response to invalid account name, password or other user credentials entered during the login process.

Ensure default system accounts and test accounts are deleted prior to releasing the system into production (or exposing it to an untrusted network).

Retrieved from "https://wiki.owasp.org/index.php?title=Test_Permissions_of_Guest/Training_Accounts_(OTG-IDENT-006)&oldid=162534"