rbsec
commented
2 months ago Application allows changing email without password confirmation in authenticated session.
This is definitely a good addition - perhaps expanding the current text about requiring re-authentication when changing passwords to cover re-authenticating when changing anything that could impact on the security of the account (password, email address, MFA settings, etc)?
Is there an issue that covers App using weak Authenticator Types (Improper main authentication factor)?
I would question whether there is really a WSTG issue here, particularly in the example you give. Firstly because biometrics aren't particularly common in web applications due to the lack of browser support. But mostly because SP800-63B may say that biometrics shouldn't be be used as the sole authentication factor - but the WSTG is not designed as a methodology for how to audit an application against NIST SP800-63B.
And while NIST has many good recommendations, it also gives some rather dubious ones. For instance, SP800-63B doesn't allow the use of a hashing algorithm such as Argon2id to store passwords (although it does allow SHA-1...) - but I certainly wouldn't expect a pentester to flag a client using Argon2id as a security issue just because NIST don't like it. And equally, while relying solely on biometric authentication may not be appropriate in some environments and systems, it is perfectly fine in others.
If there are exploitable issues with the implementation of an authentication mechanism, or if that mechanism is fundamentally weak (such a short numeric PINs) or broken then those are certainly worth flagging - but the fact that a US organisation doesn't approve the use of that authentication system isn't a pentest issue (although it may be a compliance issue).
Interested to hear what @ThunderSon and @kingthorin think on this.
Bankde
What would you like added? I'm not sure how these issues can be mapped into the current wstg. I may have missed it or the current wstg does not cover it yet? I don't know. Any suggestion is appreciate.
Both of these issues are not about MFA. They're the main authentication factor and identity.
1. Is there an issue that covers App using weak Authenticator Types (Improper main authentication factor)?
For example, the app logins using username and birthday. It's very weak and may be able to map into WSTG-ATHN-04 or WSTG-ATHN-07? NIST is more coverage about the Permitted Authenticator Types. I currently could not map this issue to the wstg. Only related part I found is in 04-07 that a authentication vulnerable to brute-force is an issue. However, if the app uses Biometric as a main authenticator (which fail to comply NIST) then I could not find any wstg topic to map with. I'm not even sure if this is something others raise as an issue during a pentest process?
2. Application allows changing email without password confirmation in authenticated session.
This is related to Authenticated Password Changes that requires a user to re-authenticate before allowing them to change the password. However, when the app allows changing the Email without re-authentication and the email can be used for "password reset", the attacker can bypass the need to provide the old password by changing the email and jump to a reset password flow instead. Most applications rely on Email but I think it's actually "identity" in the broader term.
In my opinion, changing anything related to the user identity (email, name, passport id, etc.) should also require re-authentication. But I can't find anything quite like it in the checklist.
Would you like to be assigned to this issue? Check the box if you will submit a PR to add the proposed content. Please read CONTRIBUTING.md.
Not sure yet how it will come out. Willing to contribute although I'm not the English main.