This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Cornucopia - Ecommerce Website - AT 4"
From OWASP
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 4</span>}} File:Cornucopia_-_Ecommerce_Website_AT_4....") |
|||
| Line 49: | Line 49: | ||
</tr> | </tr> | ||
</table> | </table> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_5|Next Card »]] </div> | <div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_AT_3|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT|Authentication]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_AT_5|Next Card »]] </div> | ||
Latest revision as of 15:58, 21 January 2016
Suit: Authentication
Card/Value: 4
Description:
Sebastien can easily identify user names or can enumerate them.
Technical Note:
This attack is often the result of one or more of the following:
- User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses
- Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address)
- Missing authentication failure detection
- Missing monitoring to identify attacks against multiple user accounts, utilizing the same password
Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.
NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).
References:
| OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
|---|---|---|---|---|
| 33 | 2.18 | AE1 | 383 | 28 |
| 53 | 2.19 |
