Ascertain human interaction
Summary
The system must guarantee that user actions are performed by a human (e.g., registration, authentication and password recovery). This can be achieved using CAPTCHA, incremental delays or mechanisms that prevent excessive crawling and indexing.
Description
There exist several attacks that have been automated or depend on a robot for their execution. Many of them focus on exploiting vulnerabilities in authentication forms. In order to hinder the effectiveness of these attacks, the system must implement mechanisms that help ensure that the entity with which it is interacting is a human being.
References
- CAPEC-49. Password brute forcing
- CWE-307. Improper restriction of excessive authentication attempts
- CWE-799. Improper control of interaction frequency
- CWE-804. Guessable CAPTCHA
- NERCCIP-007-6_R5_7. System access control
- OWASP10-A7. Identification and authentication failures
- SANS25-13. Improper authentication
- HITRUST-08_b. Physical entry controls
- IEC62443-IAC-1_1. Human user identification and authentication
- WASSEC-4_1. Web crawler configuration
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- WASC-A_11. Brute force
- WASC-A_34. Predictable resource location
- WASC-W_21. Insufficient anti-automation
- ISSAF-P_4. Host security - Linux security (identify ports and services)
- ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
- ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)
- ISSAF-T_11_1. Web application assessment - Brute force attack
- ISSAF-V_9. Application security - Source code auditing (data and input validation)
- PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
- NIST800115-4_2. Network port and service identification
- ASVS-2_2_1. General authenticator security
- ASVS-5_1_2. Input validation
- CASA-2_2_1. General Authenticator Security
- CASA-5_1_2. Input Validation
- CWE25-287. Improper authentication
Weaknesses
- 047. Automatic information enumeration
- 053. Lack of protection against brute force attacks
- 069. Weak CAPTCHA
- 252. Automatic information enumeration - Open ports
- 253. Automatic information enumeration - AWS
- 254. Automatic information enumeration - Credit Cards
- 283. Automatic information enumeration - Personal Information
- 330. Lack of protection against brute force attacks - Credentials
- 351. Automatic information enumeration - Corporate information
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan