237 – Ascertain human interaction

Summary

The system must guarantee that user actions are performed by a human (e.g., registration, authentication and password recovery). This can be achieved using CAPTCHA, incremental delays or mechanisms that prevent excessive crawling and indexing.

Description

There exist several attacks that have been automated or depend on a robot for their execution. Many of them focus on exploiting vulnerabilities in authentication forms. In order to hinder the effectiveness of these attacks, the system must implement mechanisms that help ensure that the entity with which it is interacting is a human being.

Supported In

Advanced: True

References

• CAPEC-49. Password brute forcing
• CWE-307. Improper restriction of excessive authentication attempts
• CWE-799. Improper control of interaction frequency
• CWE-804. Guessable CAPTCHA
• NERCCIP-007-6_R5_7. System access control
• OWASP10-A7. Identification and authentication failures
• SANS25-13. Improper authentication
• HITRUST-08_b. Physical entry controls
• IEC62443-IAC-1_1. Human user identification and authentication
• WASSEC-4_1. Web crawler configuration
• OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
• WASC-A_11. Brute force
• WASC-A_34. Predictable resource location
• WASC-W_21. Insufficient anti-automation
• ISSAF-P_4. Host security - Linux security (identify ports and services)
• ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
• ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)
• ISSAF-T_11_1. Web application assessment - Brute force attack
• ISSAF-V_9. Application security - Source code auditing (data and input validation)
• PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
• NIST800115-4_2. Network port and service identification
• ASVS-2_2_1. General authenticator security
• ASVS-5_1_2. Input validation
• CASA-2_2_1. General Authenticator Security
• CASA-5_1_2. Input Validation
• CWE25-287. Improper authentication

Weaknesses

• 252 – Automatic information enumeration - Open ports
• 253 – Automatic information enumeration - AWS
• 254 – Automatic information enumeration - Credit Cards
• 283 – Automatic information enumeration - Personal Information
• 330 – Lack of protection against brute force attacks - Credentials
• 351 – Automatic information enumeration - Corporate information
• 047 – Automatic information enumeration
• 053 – Lack of protection against brute force attacks
• 069 – Weak CAPTCHA

Last updated

2024/02/05