SecureBank
  • About SecureBank
  • A01:2021 – Broken Access Control
    • About
    • Challenges
  • A02:2021 – Cryptographic Failures
    • About
    • Challenges
  • A03:2021 – Injection
    • About
    • Challenges
  • A04:2021 – Insecure Design
    • About
    • Challenges
  • A05:2021 – Security Misconfiguration
    • About
    • Challenges
  • A06:2021 – Vulnerable and Outdated Components
    • About
    • Challenges
  • A07:2021 – Identification and Authentication Failures
    • About
    • Challenges
  • A08:2021 – Software and Data Integrity Failures
    • About
    • Challenges
  • A09:2021 – Security Logging and Monitoring Failures
    • About
  • A10:2021 – Server-Side Request Forgery (SSRF)
    • About
    • Challenges
  • CROSS SITE SCRIPTING (XXS)
    • About
    • Challenges
  • XML External Entities (XXE)
    • About
    • Challenges
  • Miscellaneous
    • Invalid Model
    • Invalid Redirect
    • Directory Browsing
    • Simultaneous Request
    • reDOS
Powered by GitBook
On this page
  • CWE-287: Improper Authentication / CWE-521: Weak Password Requirements
  • Registration (validation)
  • Solution
  • Password hashing
  • Solution

Was this helpful?

  1. A07:2021 – Identification and Authentication Failures

Challenges

PreviousAboutNextAbout

Last updated 2 years ago

Was this helpful?

CWE-287: Improper Authentication / CWE-521: Weak Password Requirements

Website doesn’t require sufficiently strong passwords. Users may use unsafe passwords, which they shouldn’t be able to, as it’s unsafe.

Registration (validation)

In this challenge, you need to register a user with a weak password.

Solution

  1. Go to /Auth/Register

  2. Usually, this issue occurs when you register a new user with a password that has a low number of password chars and can also be "111, aaaa, test" ... ... As we can see, the site validates the input, which needs to be at least five characters long.

3. Diving into the code, we can see that the password is validated inside javascript.

4 . By removing this check with debugging or intercepting connection, we can set a password at a length of fewer than five characters. This indicates that the input is improperly validated on the server.

Password hashing

Solution

Looking into the code (AuthController.cs->AuthBL.cs->UserDAO.cs->RegisterUser) you can see how passwords are stored. Passwords are stored in plain text, which is a big issue.

Password validation in JavaScript
SecureBank user registration code snip
Database snip