Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggest to prevent using internet valid domain names as default user’s email #719

Closed
SajjadPourali opened this issue Feb 21, 2020 · 13 comments
Closed

Suggest to prevent using internet valid domain names as default user’s email #719

SajjadPourali opened this issue Feb 21, 2020 · 13 comments
Assignees
@jmanico @SajjadPourali
Labels
2) Awaiting response Awaiting a response from the original poster
Milestone
4.1

Comments

@SajjadPourali
Copy link
Contributor

Would you mind if we add the following threat as new verification item?
https://medium.com/@SajjadPourali/do-not-use-internet-valid-domain-names-as-default-users-email-e-g-host-change-me-309213dffb8a
@tghosth
Copy link
Collaborator

tghosth commented Mar 13, 2020

I think this is an interesting point. Please can you prepare a draft requirement bearing in mind we try to create "positive" requirements,

@tghosth tghosth added the 2) Awaiting response Awaiting a response from the original poster label Apr 12, 2020
@SajjadPourali
Copy link
Contributor Author

SajjadPourali commented May 12, 2020
edited
Loading

Since the description must be clear and should not have any conflict with email registration services, in my opinion, the following requirement is sufficient.

Verify that if the application automatically fills the email inputs, it only suggests the email addresses with the ".invalid" extension.

According to rfc2606, only the ".invalid" extension is an appropriate candidate.

@tghosth
Copy link
Collaborator

tghosth commented May 18, 2020

Ok so maybe:

Verify that where an application automatically provides a default value for email, it uses an email address value with a ".invalid" extension to avoid a collision with a valid email address.

Nice use of RFC :)

Where should this go in the ASVS?

@jmanico
Copy link
Member

jmanico commented May 18, 2020 via email

@vanderaj vanderaj added this to the 4.1 milestone Jun 23, 2020
@vanderaj
Copy link
Member

This is a new requirement and thus is a 4.1 issue, not a 4.0.2 bug fix

@jmanico
Copy link
Member

jmanico commented Mar 12, 2021

Hey @SajjadPourali we are ready for a PR on this one!

@SajjadPourali
Copy link
Contributor Author

Hey @SajjadPourali we are ready for a PR on this one!

Absolutely

@elarlang
Copy link
Collaborator

Never met this problem in my life. Is it worth requirement in ASVS?

@SajjadPourali
Copy link
Contributor Author

SajjadPourali commented Mar 13, 2021
edited
Loading

Never met this problem in my life. Is it worth requirement in ASVS?

It's not frequent, but I was facing more than five times with different domain names, including changeme.ir.
In my opinion, it worth. take a search at haveibeenpwned.com and github with "[email protected]" and "[email protected]".

@jmanico
Copy link
Member

jmanico commented Mar 13, 2021

I am a bit skeptical of this requirement as well @elarlang - it seems very esoteric.

@elarlang
Copy link
Collaborator

It's interesting and worth to be in testing guide etc, but if examples are "[email protected]" then it actually means that nothing depends on those values.
Personally I can not see any reason, why email should/can have some default value. To avoid incorrect values, the requirement should be "Verify that e-mail fields does not have default value filled" or something like that.
If e-mail is/can be used for authentication (or for password recovery), e-mail must be verified - which avoid need to proposed requirement.

@SajjadPourali
Copy link
Contributor Author

SajjadPourali commented Mar 13, 2021
edited
Loading

It's interesting and worth to be in testing guide etc, but if examples are "[email protected]" then it actually means that nothing depends on those values.
Personally I can not see any reason, why email should/can have some default value. To avoid incorrect values, the requirement should be "Verify that e-mail fields does not have default value filled" or something like that.
If e-mail is/can be used for authentication (or for password recovery), e-mail must be verified - which avoid need to proposed requirement.

I agree with your statement. From my point of view, temporary situations are the reasons that someone uses the default value.
For example: in the development process, developers might don't know about the application owner's mail and set a default value, such as the DNN case, which I have already mentioned in my blog; or sysadmins mistakes.

IMO it's better to change something like this: Prevent users' login until email verification If e-mail is/can be used for authentication or for password recovery, unless domain extension be ".invalid".

@danielcuthbert
Copy link
Collaborator

We've added a requirement of validating e-mail addresses based upon your suggestions. This has been added to 5.1.4. If you feel it should go deeper, please re-open this with an example you feel would be suitable.

elarlang pushed a commit to elarlang/ASVS that referenced this issue Oct 25, 2021
update 5.1.4 description (OWASP#719)
bd3a2d3
@elarlang elarlang mentioned this issue Oct 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

@SajjadPourali SajjadPourali

Labels
2) Awaiting response Awaiting a response from the original poster
Projects
None yet
Milestone
4.1
Development

No branches or pull requests
6 participants
@jmanico @vanderaj @danielcuthbert @tghosth @SajjadPourali @elarlang