From 1ac87fdf3138489358d0414ccac128667607c0c1 Mon Sep 17 00:00:00 2001 From: BC-Lucille Date: Fri, 4 Oct 2024 12:04:38 +0100 Subject: [PATCH 1/5] No 2FA template addition --- .../no_two_fa/recommendations.md | 3 +++ .../no_two_fa/template.md | 13 +++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md create mode 100644 submissions/description/insufficient_security_configurability/no_two_fa/template.md diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md b/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md new file mode 100644 index 00000000..91a24de7 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md @@ -0,0 +1,3 @@ +**Recommendation(s)** + +Implement a 2FA feature for all user accounts and ensure that privileged users are required to configure 2FA. \ No newline at end of file diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/template.md b/submissions/description/insufficient_security_configurability/no_two_fa/template.md new file mode 100644 index 00000000..eb165742 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/no_two_fa/template.md @@ -0,0 +1,13 @@ +The application did not allow users to configure Two Factor Authentication (2FA). + +Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. This increases the complexity of an attacker being able to compromise an account. Consequently, an attacker may take advantage of a lack of 2FA implementation to potentially take over user accounts. + +**Business Impact** + +This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. + +**Proof of Concept (PoC)** + +The following screenshot shows the account management options available to a user. As shown, the user is not provided with the option to configure 2FA: +> +>{{screenshot}} \ No newline at end of file From c5bb68e37ce042adc1ec2ef9cb091ac1e597041f Mon Sep 17 00:00:00 2001 From: BC-Lucille Date: Wed, 16 Oct 2024 14:54:41 +0100 Subject: [PATCH 2/5] Update template.md --- .../no_two_fa/template.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/template.md b/submissions/description/insufficient_security_configurability/no_two_fa/template.md index eb165742..0f9d1a22 100644 --- a/submissions/description/insufficient_security_configurability/no_two_fa/template.md +++ b/submissions/description/insufficient_security_configurability/no_two_fa/template.md @@ -1,11 +1,14 @@ The application did not allow users to configure Two Factor Authentication (2FA). -Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. This increases the complexity of an attacker being able to compromise an account. Consequently, an attacker may take advantage of a lack of 2FA implementation to potentially take over user accounts. +2FA adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. This increases the complexity of an attacker being able to compromise an account. Consequently, an attacker may take advantage of a lack of 2FA implementation to potentially take over user accounts. **Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. +**Steps to Reproduce** + + **Proof of Concept (PoC)** The following screenshot shows the account management options available to a user. As shown, the user is not provided with the option to configure 2FA: From 091dac211e6cb859789d9a9524f0041931f24042 Mon Sep 17 00:00:00 2001 From: BC-Lucille Date: Wed, 16 Oct 2024 15:25:21 +0100 Subject: [PATCH 3/5] Create guidance.md --- .../no_two_fa/guidance.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 submissions/description/insufficient_security_configurability/no_two_fa/guidance.md diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md b/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md new file mode 100644 index 00000000..908ac9f2 --- /dev/null +++ b/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md @@ -0,0 +1,5 @@ +# Guidance + +Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. + +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file From 3833c17ce1484029b1b6b0a800c8bd043866de88 Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:28:31 +1000 Subject: [PATCH 4/5] Added a new line to each file This satisfies the linting errors. I've also added in some dummy steps to reproduce to keep consistency with other templates. --- .../no_two_fa/guidance.md | 2 +- .../no_two_fa/recommendations.md | 2 +- .../no_two_fa/template.md | 6 ++++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md b/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md index 908ac9f2..ee88d9d2 100644 --- a/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md +++ b/submissions/description/insufficient_security_configurability/no_two_fa/guidance.md @@ -2,4 +2,4 @@ Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result. -Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). \ No newline at end of file +Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md b/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md index 91a24de7..1d320d28 100644 --- a/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md +++ b/submissions/description/insufficient_security_configurability/no_two_fa/recommendations.md @@ -1,3 +1,3 @@ **Recommendation(s)** -Implement a 2FA feature for all user accounts and ensure that privileged users are required to configure 2FA. \ No newline at end of file +Implement a 2FA feature for all user accounts and ensure that privileged users are required to configure 2FA. diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/template.md b/submissions/description/insufficient_security_configurability/no_two_fa/template.md index 0f9d1a22..4aa83dc8 100644 --- a/submissions/description/insufficient_security_configurability/no_two_fa/template.md +++ b/submissions/description/insufficient_security_configurability/no_two_fa/template.md @@ -7,10 +7,12 @@ The application did not allow users to configure Two Factor Authentication (2FA) This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. **Steps to Reproduce** - +1. Navigate to the following URL: {{URL}} +1. Identify the vulnerability by performing {{action}} +1. Observe the misconfiguration **Proof of Concept (PoC)** The following screenshot shows the account management options available to a user. As shown, the user is not provided with the option to configure 2FA: > ->{{screenshot}} \ No newline at end of file +> {{screenshot}} From f5789a60d214931080a4862ff033623914d6724e Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:47:18 +1000 Subject: [PATCH 5/5] Fixing blanks-around-lists error --- .../insufficient_security_configurability/no_two_fa/template.md | 1 + 1 file changed, 1 insertion(+) diff --git a/submissions/description/insufficient_security_configurability/no_two_fa/template.md b/submissions/description/insufficient_security_configurability/no_two_fa/template.md index 4aa83dc8..589f25bc 100644 --- a/submissions/description/insufficient_security_configurability/no_two_fa/template.md +++ b/submissions/description/insufficient_security_configurability/no_two_fa/template.md @@ -7,6 +7,7 @@ The application did not allow users to configure Two Factor Authentication (2FA) This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. **Steps to Reproduce** + 1. Navigate to the following URL: {{URL}} 1. Identify the vulnerability by performing {{action}} 1. Observe the misconfiguration