Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A04:2021 – Insecure Design: Easily Phished Communications? #720

Open
llaenowyd opened this issue May 21, 2022 · 1 comment
Open

A04:2021 – Insecure Design: Easily Phished Communications? #720

llaenowyd opened this issue May 21, 2022 · 1 comment

Comments

@llaenowyd
Copy link

llaenowyd commented May 21, 2022

Here, halfway down the page under heading Example Attack Scenarios are 3 scenarios that would fall into the Insecure Design category.

I've received Phishing training at work and the basic idea is to avoid clicking links in emails, especially if they lead to a log in page where you'd put in credentials.

How about on the other end of it, if you have a big customer base who might log in to your application, it might be the most user-friendly workflow to send them an email with a link to have them log in, as they might want to do in response to getting notified about a problem or news regarding their user account.

If the application routinely sends out legitimate emails with log in links, I'd speculate it might be 10-100 times more likely to obtain access to an account during a phishing campaign.

I can recall some cases where a company will put out language like, "we will never ask for your login credentials via email." I'm not sure if that's just a good practice or indication that there is some understanding, that there could be a problem with legitimate communications that appear to possibly be phishing attempts.

So I wonder if this kind of design, routine emails, or texts, with login links and a call to action to click and sign on, would that be considered Insecure Design under the OWASP/Top10 categorization?

@puneeth072003
Copy link

@llaenowyd Happy to work on this issue, just tell me what should i do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants