Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by scriptkidde - 20.10.2024
Last edited by cbay - 24.10.2024

FS#86 - Lack of Password Confirmation on Delete Account

Overview of the Vulnerability
User accounts are more susceptible to account takeover when there is no password confirmation on certain actions. For example, change of email address, change of password, management of Multi-Factor Authentication details, and account deletion.
The application lacks password confirmation on the delete account function which could be abused by an attacker who has access to the user’s account (eg. a public computer the user has not logged out of). From here the attacker could delete a user’s account.
## Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure.
## Steps to Reproduce
1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP1. Use a browser to navigate to: admin.alwaysdata.com 2. Use delete account functionality1. Intercept the request in a Web Proxy
3. Adjust and forward the following request to the endpoint:
4. Observe that no password confirmation is required

Closed by  cbay
24.10.2024 12:20
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/17

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing