Issue 2551156: Make password reset method less useful for account guessing

classification

Title:	Make password reset method less useful for account guessing
Type:	security	Severity:	normal
Components:		Versions:

process

Status:	new	Resolution:
Dependencies		Superseder:
Assigned To:		Nosy List:	rouilj
Priority:	normal	Keywords:

Created on 2021-08-24 01:00 by rouilj, last changed 2021-08-24 01:00 by rouilj.

Messages
msg7332	Author: [hidden] (rouilj)	Date: 2021-08-24 01:00
Per: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_She et.html These changes apply to Change roundup/cgi/actions.py: PassResetAction::handle(). we should: * Return a consistent message for both existent and non-existent accounts. currently it reports no email address or user is matched. * Ensure that responses return in a consistent amount of time to prevent an attacker enumerating which accounts exist. This could be achieved by using asynchronous calls or by making sure that the same logic is followed, instead of using a quick exit method. currently it short circuits and doesn't try to send email or generate a one time key. Maybe generate the key and sleep for a some period of time?? * Implement protections against automated submissions such as CAPTCHA, rate-limiting or other controls. We rate limit login (see actions.py:LoginAction::handle()). Maybe that code can be adapted. It uses the login name as the identifier for the rate limit. Rate limiting on the basis of email address or username isn't going to work since the whole purpose is to try different ones. Maybe use client IP address somehow? Not sure this is accessible across all possible execution methods. Maybe try implementing minimum wait time for filling in form? See implementation of registration_delay in RegisterAction. Because so little info is needed, the delay has to be low and might not be useful. ----- See also issue 2551155 which also addresses password reset issues.

msg7332

Author: [hidden] (rouilj)

Date: 2021-08-24 01:00

Per:

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_She
et.html

These changes apply to Change roundup/cgi/actions.py: 
PassResetAction::handle().

we should:

  * Return a consistent message for both existent and non-existent
    accounts.

currently it reports no email address or user is matched.
 
  * Ensure that responses return in a consistent amount of time to
    prevent an attacker enumerating which accounts exist. This could
    be achieved by using asynchronous calls or by making sure that
    the same logic is followed, instead of using a quick exit method.

currently it short circuits and doesn't try to send email or generate
a one time key. Maybe generate the key and sleep for a some period of
time??

  * Implement protections against automated submissions such as
    CAPTCHA, rate-limiting or other controls.

We rate limit login (see actions.py:LoginAction::handle()). Maybe that
code can be adapted. It uses the login name as the identifier for the
rate limit. Rate limiting on the basis of email address or username
isn't going to work since the whole purpose is to try different ones.
Maybe use client IP address somehow? Not sure this is accessible
across all possible execution methods.

Maybe try implementing minimum wait time for filling in form?
See implementation of registration_delay in RegisterAction.
Because so little info is needed, the delay has to be low and might
not be useful.

-----

See also issue 2551155 which also addresses password reset issues.

History
Date	User	Action	Args
2021-08-24 01:00:12	rouilj	create

Roundup Tracker - Issues

Issue 2551156