Authentication mechanism absence or evasion - Response tampering
Description
The OTP validation is performed according to the response of the request, an attacker can modify the response of the request to include the success message and thus continue with the flow to do the unblocking.
Impact
Skip OTP validation.
Recommendation
Set up an authentication process for every resource with business-critical functionality. Perform the pertinent validations of the critical functionalities in the back-end.
Threat
Unauthorized external attacker.
Expected Remediation Time
⌚ minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: P
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
- Score:
- Base: 5.3
- Temporal: 5.0
- Severity:
- Base: Medium
- Temporal: Medium
Requirements
- 227.Display access notification
- 228.Authenticate using standard protocols
- 229.Request access credentials
- 231.Implement a biometric verification component
- 235.Define credential interface
- 264.Request authentication
- 323.Exclude unverifiable files
Fixes
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.