Untitled

mail@pastecode.io avatar
unknown
plain_text
18 days ago
1.6 kB
3
Indexable
Never
Report on Application Security Testing


---

Observations

1. The application is not vulnerable to OTP brute-force attacks, confirming strong protection against automated attempts to guess OTPs.


2. The activation link remains valid for 7 days, but the activation session is not automatically invalidated after a 10-minute period of inactivity, posing a potential security risk.


3. The system prevents users from resending the OTP more than three times, which is a good security measure but could hinder legitimate users.


4. When using session cookies across different browsers, the activation process restarts from the beginning even if the OTP is verified in the first browser. This indicates inadequate session management.


5. Since the account is not yet activated, there is no practical value in locking the account, as it is not yet usable by any user.


6. Once activated, the account is locked for 15 minutes following multiple failed OTP attempts, with an email notification being sent to the user.


7. Expired OTPs are correctly rejected, preventing any attempts to use them for unauthorized access.




---

Conclusion

While the application is robust against OTP brute-force attacks and appropriately rejects expired OTPs, the session management and account lock processes require improvement. The failure to invalidate sessions after inactivity or cross-browser use poses a security risk, and locking unactivated accounts is unnecessary. Enhancing session handling and refining account lock behavior will further secure the application.

Leave a Comment