Created on 2021-08-24 01:00 by rouilj, last changed 2021-08-24 01:00 by rouilj.
|msg7332||Author: [hidden] (rouilj)||Date: 2021-08-24 01:00|
Per: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_She et.html These changes apply to Change roundup/cgi/actions.py: PassResetAction::handle(). we should: * Return a consistent message for both existent and non-existent accounts. currently it reports no email address or user is matched. * Ensure that responses return in a consistent amount of time to prevent an attacker enumerating which accounts exist. This could be achieved by using asynchronous calls or by making sure that the same logic is followed, instead of using a quick exit method. currently it short circuits and doesn't try to send email or generate a one time key. Maybe generate the key and sleep for a some period of time?? * Implement protections against automated submissions such as CAPTCHA, rate-limiting or other controls. We rate limit login (see actions.py:LoginAction::handle()). Maybe that code can be adapted. It uses the login name as the identifier for the rate limit. Rate limiting on the basis of email address or username isn't going to work since the whole purpose is to try different ones. Maybe use client IP address somehow? Not sure this is accessible across all possible execution methods. Maybe try implementing minimum wait time for filling in form? See implementation of registration_delay in RegisterAction. Because so little info is needed, the delay has to be low and might not be useful. ----- See also issue 2551155 which also addresses password reset issues.