Roundup Tracker - Issues

Issue 2551156

classification
Make password reset method less useful for account guessing
Type: security Severity: normal
Components: Versions:
process
Status: new
:
: : rouilj
Priority: normal :

Created on 2021-08-24 01:00 by rouilj, last changed 2021-08-24 01:00 by rouilj.

Messages
msg7332 Author: [hidden] (rouilj) Date: 2021-08-24 01:00
Per:

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_She
et.html

These changes apply to Change roundup/cgi/actions.py: 
PassResetAction::handle().

we should:

  * Return a consistent message for both existent and non-existent
    accounts.

currently it reports no email address or user is matched.
 
  * Ensure that responses return in a consistent amount of time to
    prevent an attacker enumerating which accounts exist. This could
    be achieved by using asynchronous calls or by making sure that
    the same logic is followed, instead of using a quick exit method.

currently it short circuits and doesn't try to send email or generate
a one time key. Maybe generate the key and sleep for a some period of
time??

  * Implement protections against automated submissions such as
    CAPTCHA, rate-limiting or other controls.

We rate limit login (see actions.py:LoginAction::handle()). Maybe that
code can be adapted. It uses the login name as the identifier for the
rate limit. Rate limiting on the basis of email address or username
isn't going to work since the whole purpose is to try different ones.
Maybe use client IP address somehow? Not sure this is accessible
across all possible execution methods.

Maybe try implementing minimum wait time for filling in form?
See implementation of registration_delay in RegisterAction.
Because so little info is needed, the delay has to be low and might
not be useful.

-----

See also issue 2551155 which also addresses password reset issues.
History
Date User Action Args
2021-08-24 01:00:12rouiljcreate