Skip to main content

Authentication mechanism absence or evasion - Security Image

Description

It is possible to eliminate the use of the image and security phrase at user login.

Impact

Remove image and security phrase which can facilitate other types of attacks.

Recommendation

Make sure that only one number of an existing image can be sent so that the image and passphrase function is not eliminated.

Threat

User authenticated from the Internet.

Expected Remediation Time

⌚ 240 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application correctly validates credentials and handles wrong credentials by redirecting user to login

app.Register('/userRegister', function(req, res, next){
const img = req.user.secImg;
const phrase = req.user.secPhrase;
const isCredentialsValid = checkCredentials(img, phrase);
if isCredentialsValid{
res.redirect('/profile/SecurityCredentials');
}else{
//Code to redirect and retry to validate security credentials
res.redirect('/userLogin');
}
});

Non compliant code

There is a functionality to bypass the verification of the user credentials and accees sensitive information

app.Register('/userRegister', function(req, res, next){
const img = req.user.secImg;
const phrase = req.user.secPhrase;
const isCredentialsValid = checkCredentials(img, phrase);
if isCredentialsValid{
res.redirect('/profile/SecurityCredentials');
}else{
//If there is a mistake in the credentials sent, the user can still bypass the controls
res.redirect('/profile/signIn');
}
});

Requirements