The change password form within a larger Supplements website that does not have the added security feature that allows the user to add their existing Password. At the moment the user can simple add the new password without knowing the existing password.
If a user leaves their computer unattended for a few minutes (while logged in), we don’t want someone else to be able to walk by and quickly change their password. For one thing, this would allow the attacker to change the associated email address, too, and now the legitimate owner is never getting his/her account back.
Something you know (e.g., a password or pass phrase), and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print). Something you know and something that identifies you are presented for authentication.
Add “current password” field to “change password form”
That is pretty standard design for most sites, and is especially important at sites where you are kept logged in (even after the browser is closed).
Reply Regarding This Issue
The reply was within half an hour and was very friendly. Even rewarding me with discount points to the site which I was very happy with.
Here the Attacker will attempt to get access to the victims account by forcing the victim to
change his/her password to one the attacker has selected.
- Attacker sends a phishing email to the victim congratulating him on winning the employees of the year award.
- Victim clicks the link to accept the prestige’s award!
- The attacker successfully tricked the victim into changing his/her account password.
- Once this is achieved the attacker can now access the victims account, steal Sensitive data, transfer money or even change the password of the account again and maintain access. ! 🙂
Content Security Policy is a new addition to the web platform that promises to mitigate the risk of XSS attacks by giving admins control over the data and code to be allowed to run on their site.
- Another layer to a websites defenses: browser-enforced restrictions against external resources or unauthorized scripting.
- Extra response header instructs browsers to enforce a policy.
- Involves deciding what policies you want to enforce, and then configuring them and using X-Content-Security-Policy to establish your policy.
- Best used as defense-in-depth. : declarative policy that lets admins inform the client about the sources from which the application expects to load resources.
- Mitigate XSS: Applications can declare that it only expects scripts from trusted sources.
- Allows the client to detect and block malicious scripts injected into the application by an attacker.