From 03e43382197e9593b85514e8da2d939fefbed38e Mon Sep 17 00:00:00 2001 From: plr0man Date: Thu, 5 Nov 2020 11:07:09 -0600 Subject: [PATCH 1/2] Add OAuth Account Squatting --- CHANGELOG.md | 1 + mappings/cvss_v3/cvss_v3.json | 4 ++++ mappings/remediation_advice/remediation_advice.json | 4 ++++ vulnerability-rating-taxonomy.json | 6 ++++++ 4 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd1054a3..2590f872 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p - insufficient_security_configurability.verification_of_contact_method_not_required - insufficient_security_configurability.weak_two_fa_implementation.two_fa_code_is_not_updated_after_new_code_is_requested - insufficient_security_configurability.weak_two_fa_implementation.old_two_fa_code_is_not_invalidated_after_new_code_is_generated +- server_security_misconfiguration.oauth_misconfiguration.account_squatting ### Removed - insufficient_security_configurability.lack_of_verification_email diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index b38bba53..7250e660 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -165,6 +165,10 @@ { "id": "account_takeover", "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "id": "account_squatting", + "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ] }, diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index ddcdbf05..56770504 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -281,6 +281,10 @@ "https://tools.ietf.org/html/rfc6819" ] }, + { + "id": "account_squatting", + "remediation_advice": "In case of OAuth based account registration, ensure that if there is a preexisting account for the same email address and is to be merged, that it will no longer be accessible with its old password" + }, { "id": "missing_state_parameter", "remediation_advice": "The OAuth state parameter is a form of CSRF protection, ensure that it is in place and properly validated." diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index 040d9600..fe69a2d2 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -292,6 +292,12 @@ "type": "variant", "priority": 2 }, + { + "id": "account_squatting", + "name": "Account Squatting", + "type": "variant", + "priority": 4 + }, { "id": "missing_state_parameter", "name": "Missing/Broken State Parameter", From a37143a6a99391154ed907955108eba77e8b0d4a Mon Sep 17 00:00:00 2001 From: plr0man Date: Wed, 18 Nov 2020 10:54:20 -0600 Subject: [PATCH 2/2] Add period at the end of remediation advice --- mappings/remediation_advice/remediation_advice.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 56770504..f0e048b9 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -283,7 +283,7 @@ }, { "id": "account_squatting", - "remediation_advice": "In case of OAuth based account registration, ensure that if there is a preexisting account for the same email address and is to be merged, that it will no longer be accessible with its old password" + "remediation_advice": "In case of OAuth based account registration, ensure that if there is a preexisting account for the same email address and is to be merged, that it will no longer be accessible with its old password." }, { "id": "missing_state_parameter",