Password Policy Bypass

Password Policy Bypass

Overview of the Vulnerability

When there is no password policy set, the strength of the overall authentication process for an application is diminished. A password policy bypass is present within this web application, allowing for weak passwords to be used by any user. This makes it easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts.

Business Impact

Having a password policy bypass present within the application can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure.

Steps to Reproduce

  1. Use a browser to navigate to: {{URL}}

  2. Attempt to login

  3. Observe that modifying the following parameter allows a user to bypass the password policy of the application:

​​{{parameter}}

Proof of Concept (PoC)

The following screenshot shows the bypass of the password policy:

{{screenshot}}

Recommendation(s)

A password policy should be set and thoroughly tested in a UAT environment before being pushed to a production environment to ensure that it is sufficiently robust. Overall, the password policy should contain the following guidelines for users:

Have a minimum password length of eight characters and no maximum limit Require at least three different character types such as, upper and lower case letters, numbers, and special characters. Have a deny list of commonly used words and poor passwords such as, password, password123, the company’s name, or a user’s email address or username. When a user resets their password, they should not be able to use a previous password or increment a previous password in any way. For example, a user should not be able to change their password from Correct-h0rse-1 to Correct-h0rse-2

For more information refer to the following guide relating to this vulnerability: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf

PreviousNo Password PolicyNextVerification Of Contact Method Not Required

Last updated