This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - AT 4

From OWASP
Revision as of 14:32, 21 January 2016 by Dariodf (talk | contribs) (Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#73abcc;">Cornucopia - Ecommerce Website - AT 4</span>}} File:Cornucopia_-_Ecommerce_Website_AT_4....")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Cornucopia - Ecommerce Website AT 4.png

Suit: Authentication

Card/Value: 4

Description:

Sebastien can easily identify user names or can enumerate them.

Technical Note:

This attack is often the result of one or more of the following:

  • User names (IDs, account names) may be guessable, published elsewhere, or are simply email addresses
  • Authentication and related mechanisms may indicate whether a username is valid or not (registration, password reset/recovery, username recovery, change password, change email address)
  • Missing authentication failure detection
  • Missing monitoring to identify attacks against multiple user accounts, utilizing the same password

Additionally another web or non-web application (e.g. mobile app, telephone service) that utilises the same credentials has one or more of the above problems.

NB: This card relates to user names. See AT 7 for the similar password cracking (brute forcing, dictionary attacks, guessing, credential stuffing, credential cracking).

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
33 2.18 AE1 383 28
53 2.19






« Previous Card | Authentication | Next Card »