Task #11411
Support #11289: [SCP ID :##5584##] : PCI DSS: Web and Mobile SAP Remediation
Pentest_Web_CDB (L2) - Weak Password Reset
| Status: | Closed - End of life cycle | Start date: | December 01, 2020 | ||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | |||
| Assignee: |  Nurul Athira Abdul Rahim | % Done: | 30% | ||
| Category: | Pentest | Spent time: | - | ||
| Target version: | - |
Description
During the password reset process, the application will require user input of their preset security question. However, the application does not validate the answers provided which allows any users to bypass this security mechanism with invalid answer for security question.
Given solution :
The application should validate the answer provided for security question in password reset function. If too many invalid answer attempts were made, consider locking the account to prevent brute force attack.
History
#1
Updated by Najmi Pasarudin almost 4 years ago
- Assignee changed from Najmi Pasarudin to Nurul Hasnieza Bt Mohd Zamri
#2
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from New - Begin Life Cycle to Finished Development
- % Done changed from 0 to 80
#3
Updated by Nurul Hasnieza Bt Mohd Zamri over 3 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from Nurul Hasnieza Bt Mohd Zamri to Nurul Athira Abdul Rahim
Hi Athira,
kindly retest by inserting incorrect security question's answer in reset password to get the error message.
#4
Updated by Nurul Athira Abdul Rahim over 3 years ago
need confirmation from JPD and JTM for the process
#5
Updated by Nurul Athira Abdul Rahim over 3 years ago
- Status changed from Internal Testing to Pending Customer Feedback
- % Done changed from 80 to 30
New Flow taht pending review
1. To add validation at
"security question" screen
2. To set Maximum
attempt to 3 times
3. User will be locked
4. CA need to unlock user
#6
Updated by Nurul Athira Abdul Rahim about 3 years ago
- Status changed from Pending Customer Feedback to Closed - End of life cycle
Updated from JTM :
1st assessment pentest expired.
Pending for 2nd scanning report