AppSec Tales I | Sign-up

Application Security Testing of the Register form guidelines.

INTRODUCTION

This is the first article in the AppSec series that describes how to test Registration forms to ensure a secure authentication process.
The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• bug bounty reports
• Own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

GUIDELINES

I. IMPERSONATION

Register twice using the same data but changing the sign-up component.

• The victim’s account could be hijacked if the application allows resetting the password based on one of the sign-up components.
  (Example of hijacking based on the username)
• The attacker may impersonate the victim by using his data from another account.
• The victim’s data can be removed entirely from the database or replaced with new ones entered by the attacker.