0

Using the OWASP testing guide, if password strength policy verification is implemented only client-side, can that be considered a vulnerability? In which category?

Also which CVSS it should have?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Maicake
  • 497
  • 1
  • 3
  • 13
  • 1
    It's not a vulnerability of the system, so I'm not sure that it would get a CVSS score. – schroeder Aug 16 '20 at 08:46
  • You can use OWASP Risk Rating Methodology is a special methodology for Web applications vulnerabilities: https://owasp.org/www-community/OWASP_Risk_Rating_Methodology – hmrojas.p Aug 17 '20 at 20:24

1 Answers1

2

Yes it can be considered as a vulnerability as all the things done only at the client side are not enforced.
This situation is quite equivalent to not have a mandatory strength of the passwords.

This topic is described in the OWASP Application Security Verification Standard in the "Authentication" category: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Authentication.md#v21-password-security-requirements

This is not a particular flaw (as a CVE with a CVSS score) but a general one (so a CWE).
So you will find details here :

Each article details the above categories of the flaw (in the membership section).

There is no numeric score like CVSS, but you can use the CVSS calculator to estimate it:https://www.first.org/cvss/calculator/3.0.
In your case, a regular user will not try to bypass the password policy at the client side. And if an attacker tries to do it, he can only create a poor secured account for himself.
We can imagine a scenario where the attacker tries to make a victim click a link which change the password for his own account on your website without the client side limitations... but it far simpler to use this link to steal the current password ^^.
So I guess that the CVSS vector is https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N but it is very theoretical.

Sibwara
  • 1,316
  • 7
  • 19