Uploaded image for project: 'Magnolia Public User Registration'
  1. Magnolia Public User Registration
  2. MGNLPUR-168

PUR is not OWASP compliant because it's informing about the status of an account.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Outdated
    • Major
    • None
    • 2.5.2
    • registration
    • None

    Description

      We are integrating the PUR module in a "simple" website with a registration form.
      During the integration and test round of the registration process we found some security--related results.

      PasswordProcessor#internalProcess() is returning "user not exist" when the user does not exists.
      TokenPasswordProcessor#internalProcess() is returning information like "user not exist",

      According to the OWASP Cheat Sheet: https://www.owasp.org/index.php/Authentication_Cheat_Sheet:
      Authentication and Error Messages
      Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.

      Authentication Responses
      An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.

      A better response message will be something like: "Incorrect username or password"

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              Unassigned Unassigned
              jdiepeveen Jordie Diepeveen
              AdminX
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD