CAPEC-50: Password Recovery Exploitation
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
执行流程
步骤 1 Explore
Understand the password recovery mechanism and how it works.
步骤 2 Exploit
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
前提条件
- The system allows users to recover their passwords and gain access back into the system.
- Password recovery mechanism has been designed or implemented insecurely.
- Password recovery mechanism relies only on something the user knows and not something the user has.
- No third party intervention is required to use the password recovery mechanism.
所需技能
所需资源
- For a brute force attack one would need a machine with sufficient CPU, RAM and HD.
后果影响
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.
E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.
Ensure that your password recovery functionality is not vulnerable to an injection style attack.
示例实例
An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.
See also: CVE-2006-3013