Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand security considerations section #19

Open
hober opened this issue May 6, 2020 · 1 comment
Open

Expand security considerations section #19

hober opened this issue May 6, 2020 · 1 comment
Assignees
@hober

Comments

@hober
Copy link
Member

hober commented May 6, 2020

@terriko raised this concern on public-webappsec:

I do wonder if we should (non-normatively) mention the concern that having a well-known password change url could be used for nefarious purposes (e.g. sending a lot of emails, denial of service if there’s a rate limit on password changes, authentication attacks against security questions, etc.).
@hober hober self-assigned this May 6, 2020
@nsonaniya2010
Copy link

Missing Function Level Access Control issue. Possibly this functionality may be hidden till user is privileged. and Hence, this allows a low privileged, or unprivileged user to access restricted functionality in the application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hober hober

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hober @nsonaniya2010