This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Cornucopia - Ecommerce Website - AT 4
From OWASP
Revision as of 14:32, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 4</span>}} File:Cornucopia_-_Ecommerce_Website_AT_4....")
Suit: Authentication
Card/Value: 4
Description:
Sebastien can easily identify user names or can enumerate them.
Technical Note:
This attack is often the result of one or more of the following:
- User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses
- Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address)
- Missing authentication failure detection
- Missing monitoring to identify attacks against multiple user accounts, utilizing the same password
Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.
NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).
References:
OWASP SCP | OWASP ASVS | OWASP AppSensor | CAPEC | SAFECODE |
---|---|---|---|---|
33 | 2.18 | AE1 | 383 | 28 |
53 | 2.19 |