AppSec Tales I | Sign-up

Application Security Testing of the Register form guidelines.

INTRODUCTION

This is the first article in the AppSec series that describes how to test Registration forms to ensure a secure authentication process.
The advice in this article is based on the following:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• bug bounty reports
• Own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

GUIDELINES

I. IMPERSONATION

Register twice using the same data but changing the sign-up component.

• The victim’s account could be hijacked if the application allows resetting the password based on one of the sign-up components.
  (Example of hijacking based on the username)
• The attacker may impersonate the victim by using his data from another account.
• The victim’s data can be removed entirely from the database or replaced with new ones entered by the attacker.

Source: Own study — An example of the email address’s impersonation.

Username and other sensitive data such as document number, phone number, personal identification number, International Bank Account Number, etc., must be linked to the existing account and blocked from being used again.

II. SPOOFING

Register twice using: the same email | + |. |uppercase|unicode.

• The attacker could smuggle messages to the victim based on the registration form, which could help in a phishing campaign.
• A victim’s mailbox can be flooded with vast amounts of email messages. Asa result, the mail server can place messages from the target domain in the spam or block them entirely from delivery.
• An attacker could get registration bonuses multiple times.