Authentication mechanism absence or evasion - Response tampering
Description
The OTP validation is performed according to the response of the request, an attacker can modify the response of the request to include the success message and thus continue with the flow to do the unblocking.
Impact
Skip OTP validation.
Recommendation
Set up an authentication process for every resource with business-critical functionality. Perform the pertinent validations of the critical functionalities in the back-end.
Threat
Unauthorized external attacker.
Expected Remediation Time
⌚ 90 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code maturity: P
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
- Score:
- Base: 5.3
- Temporal: 5.0
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: N
- User interaction: N
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 5.5
- Severity:
- CVSS-BT: Medium
Requirements
- 227.Display access notification
- 228.Authenticate using standard protocols
- 229.Request access credentials
- 231.Implement a biometric verification component
- 235.Define credential interface
- 264.Request authentication
- 323.Exclude unverifiable files
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.