WebApp Sec mailing list archives
Re: Web Application Vulnerability Categorization
From: Seth Art <sethsec () gmail com>
Date: Tue, 1 Apr 2014 14:27:02 -0400
m0nk, This CWE fits pretty closely: CWE-640: Weak Password Recovery Mechanism for Forgotten Password - http://cwe.mitre.org/data/definitions/640.html -Seth On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec () gmail com> wrote:
m0nk, This CWE fits pretty closely: CWE-640: Weak Password Recovery Mechanism for Forgotten Password - http://cwe.mitre.org/data/definitions/640.html -Seth On Mon, Mar 31, 2014 at 10:09 PM, m@d m0nk <th3madm0nk () gmail com> wrote:Hello Team, Greetings!!!. I have a web app with a password recovery option. There is a secret question and if the user enters the correct answer to the secret question, the username and password is provided to the user. If the password recover page / module allows multiple tries (brute-force and no CAPTCHA or similar mechanism), can we categorize this vulnerability under "Broken Authentication and Session Management" or does this fall under any other Vulnerability Category / OWASP Top 10? Thanks in advance. ch33rs, -- __| madm0nk |__ th3 sib3rian m0nk -------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Web Application Vulnerability Categorization m@d m0nk (Mar 31)
- Message not available
- Re: Web Application Vulnerability Categorization Seth Art (Apr 02)
- Re: Web Application Vulnerability Categorization Dave Ferguson (Apr 02)
- Re: Web Application Vulnerability Categorization Seth Art (Apr 02)
- Message not available
- Message not available
- Re: Web Application Vulnerability Categorization m@d m0nk (Apr 02)