| Name |
Password Recovery Exploitation |
|
| Likelyhood of attack |
Typical severity |
| Medium |
High |
|
| Summary |
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. |
| Prerequisites |
The system allows users to recover their passwords and gain access back into the system. Password recovery mechanism has been designed or implemented insecurely. Password recovery mechanism relies only on something the user knows and not something the user has. No third party intervention is required to use the password recovery mechanism. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
Understand the password recovery mechanism and how it works. |
|
| 2 |
Exploit |
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer. |
|
|
| Solutions | Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic. E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online. Ensure that your password recovery functionality is not vulnerable to an injection style attack. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-522 |
Insufficiently Protected Credentials |
| CWE-640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
| CAPEC-212 |
An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data. |
| CAPEC-560 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service. |
| CAPEC-561 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. |
| CAPEC-600 |
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. |
| CAPEC-653 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System. |
|