Ascertain human interaction
Summary
The system must guarantee that user actions are performed by a human (e.g., registration, authentication and password recovery). This can be achieved using CAPTCHA, incremental delays or mechanisms that prevent excessive crawling and indexing.
Description
There exist several attacks that have been automated or depend on a robot for their execution. Many of them focus on exploiting vulnerabilities in authentication forms. In order to hinder the effectiveness of these attacks, the system must implement mechanisms that help ensure that the entity with which it is interacting is a human being.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CWE™-307. Improper restriction of excessive authentication attempts
- CWE™-799. Improper control of interaction frequency
- CWE™-804. Guessable CAPTCHA
- NERC CIP-007-6_R5_7. System access control
- OWASP TOP 10-A7. Identification and authentication failures
- SANS 25-14. Improper Authentication
- HITRUST CSF-08_b. Physical entry controls
- ISA/IEC 62443-IAC-1_1. Human user identification and authentication
- WASSEC-4_1. Web crawler configuration
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- WASC-A_11. Brute force
- WASC-A_34. Predictable resource location
- WASC-W_21. Insufficient anti-automation
- ISSAF-P_4. Host security - Linux security (identify ports and services)
- ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
- ISSAF-Q_16_34. Host security - Windows security (denial of service attacks)
- ISSAF-T_11_1. Web application assessment - Brute force attack
- ISSAF-V_9. Application security - Source code auditing (data and input validation)
- PTES-5_2_3_2. Vulnerability analysis - Web application scanners (directory listing or brute forcing)
- NIST 800-115-4_2. Network port and service identification
- OWASP ASVS-2_2_1. General authenticator security
- OWASP ASVS-5_1_2. Input validation
- CASA-2_2_1. General Authenticator Security
- CASA-5_1_2. Input Validation
Vulnerabilities
- 047. Automatic information enumeration
- 053. Lack of protection against brute force attacks
- 069. Weak CAPTCHA
- 252. Automatic information enumeration - Open ports
- 253. Automatic information enumeration - AWS
- 254. Automatic information enumeration - Credit Cards
- 283. Automatic information enumeration - Personal Information
- 330. Lack of protection against brute force attacks - Credentials
- 351. Automatic information enumeration - Corporate information
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.