Fix 1151-2: Added section & info surrounding re-authN for sensitive f…

…unctionality / identity changes. (#1179) * Added Identity + Config Change Section Added the "Authenticated Identity and Configuration Changes" section to ensure any sensitive account changes require re-authentication. * Added Self to Editors Included name + username. --------- Co-authored-by: Rick M <[email protected]>
OWASP · Jan 10, 2025 · 580d02b · 580d02b
1 parent 2f6c304
commit 580d02b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/document/1-Frontispiece/README.md b/document/1-Frontispiece/README.md
@@ -61,6 +61,7 @@ This document is released under the [Creative Commons 4.0 License](https://creat
 - Asharaf Ali
 - Elie Saad
 - Eoin Murphy
+- Evan Read (alp1n3-eth)
 - Francisco Bustos
 - frozensolid
 - Hsiang-Chih Hsu

diff --git a/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md b/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
@@ -163,9 +163,15 @@ Rather than sending them a link or new password, security questions can be used
 
 See the [Testing for Weak Security Questions](08-Testing_for_Weak_Security_Question_Answer.md) guide for further information.
 
+### Authenticated Identity and Configuration Changes
+
+If the application supports the ability to modify an account's primary identifier (such as an email address or phone number) that is utilized in the password change and reset functionalities the user should be forced to re-authenticate. When the primary identifier used in the password change functionality is able to be modified without re-authentication it allows the re-authentication in the password change functionality to be bypassed. Overall, anything that impacts the security of the account (email, MFA, backup settings, etc.) should require re-authentication before it can be modified.
+
+For example: An application has a password reset flow that sends a reset link to the account's email address. The application also requires re-authentication if the password is attempted to be changed from the perspective of an authenticated user. If an attacker gains access to the account (via a stolen cookie, physical access to the computer, etc.) and changes the account's email address without needing to re-authenticate, then the password reset flow can be used to change the password, bypassing the authenticated password change flow.
+
 ### Authenticated Password Changes
 
-Once the user has proved their identity (either through a password reset link, a recovery code, or by logging in on the application) they should be able to change their password. The key area to test are:
+Once the user has proved their identity (either through a password reset link, a recovery code, or by logging in on the application) they should be able to change their password. The key areas to test are:
 
 - When setting the password, can you specify the user ID?