Cornucopia - Ecommerce Website - AT 5
Javier can use default, test or easily guessable credentials to authenticate, or can use an old account or an account not necessary for the application.
No default (e.g. vendor), old, or test accounts should exist. Each user should have their own individual account, and accounts should only be issued and active for those people/systems that have been permitted access for the required need of their job/role. Put automatic time limits on temporary accounts. Review accounts periodically to check whether any need to be de-activated or deleted. Utilize strong passwords/phrases and/or implement multi-factor authentication, especially for accounts with more privileged access.
|OWASP SCP||OWASP ASVS||OWASP AppSensor||CAPEC||SAFECODE|