Skip to main content

Data uniqueness not properly verified

Description

The application does not properly validate the uniqueness of the data, allowing an attacker to reuse or regenerate information that should be valid for one use only.

Impact

Lead to diferent vulnerabilities by abusing the misconfigured feature.

Recommendation

Implement validations to ensure that the data cannot be reused nor regenerated if the application requires a unique value.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:X
  • Score:
    • Base: 5.4
    • Temporal: 5.4
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

verification codes should expire after a timeout and be deleted after a single use

function hashPassword(verificationCode) {

if (isValid(verificationCode) & isNotExpired(verificationCode.timestamp){
//Code to handle user recover password
deleteCode(verificationCode)
}
}

Non compliant code

A verification code that should only be used once is stored inside the user data

function recoverPassword(verificationCode) {
if isValid(verificationCode){
user.verificationCode = verificationCode
//Code to handle user recover password
...
}
}

Requirements