Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Clarification/For Discussion] Default credentials mean in 2.10.2 #764

Closed
csfreak92 opened this issue May 10, 2020 · 7 comments
Closed

[Clarification/For Discussion] Default credentials mean in 2.10.2 #764

csfreak92 opened this issue May 10, 2020 · 7 comments
Assignees
@danielcuthbert
Milestone
4.0.2

Comments

@csfreak92
Copy link
Collaborator

ASVS 4.0 - 2.10.2 verification requirement is:

Verify that if passwords are required, the credentials are not a default account.

I would like to clarify from the community/maintainers of this project regarding the term default credentials mean on this control? Does default credentials stand for some applications that have default credentials after installation? The way I interpreted this is if an application is deployed/installed and there are default credentials it fails this verification requirement (e.g. phpmyadmin application has "root", "admin" or something similar default credentials that comes with the installation of the application).

If my assumption and thinking is correct, I'll create a Pull Request to link this issue, else please help me understand this control better. This confuses our team a lot of times.
@tghosth
Copy link
Collaborator

tghosth commented May 18, 2020

So I am not sure what this means and I am also struggling to trace it back to the relevant NIST requirement.

@vanderaj it looks like requirement 2.10.2 started life as part of 2.21 added in this commit: e0aa0e6

Any idea if that NIST link to 5.1.1.1 is accurate?

@tghosth tghosth mentioned this issue May 18, 2020
Closed
@vanderaj vanderaj added this to the 4.0.2 milestone Jun 23, 2020
@vanderaj vanderaj added the bug label Jun 23, 2020
@vanderaj vanderaj assigned danielcuthbert and unassigned vanderaj Jul 12, 2020
@csfreak92
Copy link
Collaborator Author

Hi @vanderaj, @tghosth, any updates on this issue? Is there anything needed from my end?

@danielcuthbert
Copy link
Collaborator

My bad, this was assigned to me and I've stalled. Originally it was just as you said, for example, admin/admin123, and in hindsight, I can now see how this is actually not helpful in the way it was written. I'd really like to see how you'd make it better, so yeah please submit a PR

@csfreak92
Copy link
Collaborator Author

If there are no more ideas, then alright will submit a PR later today. I think there's a way we could make this better.

csfreak92 added a commit to csfreak92/ASVS that referenced this issue Oct 9, 2020
@csfreak92
Update 0x11-V2-Authenticaftion.md
ae47a1a 
Suggestion to make 2.10.2 better. 

This Pull Request relates to issue OWASP#764  as per discussed.
@csfreak92
Copy link
Collaborator Author

@danielcuthbert, I analyzed it more about this requirement. It looks like this is about service authentication, though this ASVS requirement is still vague so I created a PR to make it better. Let me know your thoughts on it.

@csfreak92 csfreak92 mentioned this issue Oct 9, 2020
Merged
@danielcuthbert
Copy link
Collaborator

thank you @csfreak92 ill check it this weekend!

@tghosth
Copy link
Collaborator

tghosth commented Oct 19, 2020

Resolved by #848 and #859

@tghosth tghosth closed this as completed Oct 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielcuthbert danielcuthbert

Labels
None yet
Projects
None yet
Milestone
4.0.2
Development

No branches or pull requests
4 participants
@csfreak92 @vanderaj @danielcuthbert @tghosth