Email uniqueness not properly verified
Description
The system allows the plus character in the email registration process. An attacker could abuse this feature to create several accounts pointing to the same email.
Impact
Create multiple accounts with the same email.
Recommendation
The system must validate emails in such way that an inbox only can be associated or represent an account.
Threat
Anonymous attacker from the Internet.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: U
- Report confidence: C
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C
- Score:
- Base: 4.3
- Temporal: 4.1
- Severity:
- Base: Medium
- Temporal: Medium
Code Examples
Compliant code
Passwords should always be stored in encrypted values and never returned as plain text in a response
const registerUser = async (req, res, next) => {
const { username, password, email } = req.body
try {
//The validation method also checks if the email already exists
await User.validate({
username,
password,
email,
}).then(user =>
res.status(200).json({
message: "User successfully created",
})
)
return user, password, email
} catch (err) {
res.status(401).json({
message: "Something went wrong: User not created",
error: error.mesage,
})
}
}
Non compliant code
There is no verification for duplicate emails
const registerUser = async (req, res, next) => {
const { username, password, email } = req.body
try {
//The method does not check if the email is duplicated before creating a new user
await User.validate({
username,
password,
}).then(user =>
res.status(200).json({
message: "User successfully created",
})
)
return user, password, email
} catch (err) {
res.status(401).json({
message: "Something went wrong: User not created",
error: error.mesage,
})
}
}