365 – Authentication mechanism absence or evasion - Response tampering

Description

The OTP validation is performed according to the response of the request, an attacker can modify the response of the request to include the success message and thus continue with the flow to do the unblocking.

Impact

Skip OTP validation.

Recommendation

Set up an authentication process for every resource with business-critical functionality. Perform the pertinent validations of the critical functionalities in the back-end.

Threat

Unauthorized external attacker.

Expected Remediation Time

90 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 227 - Display access notification
• 228 - Authenticate using standard protocols
• 229 - Request access credentials
• 231 - Implement a biometric verification component
• 235 - Define credential interface
• 264 - Request authentication
• 323 - Exclude unverifiable files

Fixes

• Csharp
• Dart
• Go
• Java
• Python
• Scala
• Typescript

Last updated

2024/02/20