Authentication / Weak Security Question Answer

Description

Weak Security Question Answer (CWE-521) is a type of authentication vulnerability in which a user is able to provide an incorrect answer to a security question and gain access to a system. This vulnerability is most commonly found in web and API applications, where security questions are used as a form of authentication. As suggested by the OWASP Testing Guide, weak security questions are those which have answers that can be guessed easily or are publicly available, such as the user's birthdate or hometown.

Risk

The risk of this vulnerability is that it can enable an attacker to gain access to a system without having the correct credentials, which can lead to the exposure of sensitive data or the modification of existing data. A risk assessment of this vulnerability should consider the degree to which the security question can be guessed or answered by publicly available information.

Solution

The best solution to this vulnerability is to use security questions which are difficult for an attacker to guess or answer, such as questions that require knowledge of the user's past activities or questions that have a large number of possible answers. Additionally, it is important to ensure that the answers to the security questions are not publicly available.

Example

The following example code shows a web application which uses a weak security question to authenticate a user:

if (user.birthdate == securityQuestionAnswer) {
    user.authenticated = true;
} else {
    user.authenticated = false;
}

In this example, the security question is the user's birthdate, which can be easily guessed or answered using publicly available information.