Validate credential ownership
Summary
The system must validate that the given credentials (email, phone number, etc.) actually belong to the user that claimed ownership of them.
Description
empty
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-287. Improper authentication
- CAPEC™-654. Credential Prompt Impersonation
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_2. Logical and physical access controls
- NIST Framework-PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes
- MITRE ATT&CK®-M1043. Credential access protection
- SANS 25-14. Improper Authentication
- POPIA-3A_23. Access to personal information
- PDPO-S1_4. Security of personal data
- CMMC-IA_L1-3_5_2. Authentication
- HITRUST CSF-10_c. Control of internal processing
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_4. Application design controls - Password policy
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- OWASP MASVS-V8_10. Resilience requirements - Device binding
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-4_3_1. Other access control considerations
- CASA-2_10_1. Service Authentication
- CASA-4_3_1. Other Access Control Considerations
Vulnerabilities
- 103. Insufficient data authenticity validation - APK signing
- 327. Insufficient data authenticity validation - Images
- 355. Insufficient data authenticity validation - Checksum verification
- 377. Insufficient data authenticity validation - Device Binding
- 382. Insufficient data authenticity validation - Front bypass
- 389. Insufficient data authenticity validation - JAR signing
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.