# 4.3 Identity Management Testing

## [Identity Management Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/README)

## 4.3.1 [Test Role Definitions](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/01-Test_Role_Definitions)

* [ ] Identify and document roles used by the application.
* [ ] Review the granularity of the roles and the needs behind the permissions given

**Evidence**:

```
​
```

## 4.3.2 [Test User Registration Process](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/02-Test_User_Registration_Process)

Verify that the identity requirements for user registration are aligned with business and security requirements.

* [ ] Can anyone register for access? Is it intended?
* [ ] Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?
* [ ] Can the same person or identity register multiple times?
* [ ] Can users register for different roles or permissions?
* [ ] What proof of identity is required for a registration to be successful?
* [ ] Are registered identities verified?
* [ ] Can users registered using weak password policies?
* [ ] Does the application automatically logs in the new user?

Validate the registration process.

* [ ] Can identity information be easily forged or faked?
* [ ] Can the exchange of identity information be manipulated during registration

**Evidence**:

```
​
```

## 4.3.3 [Test Account Provisioning Process](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/03-Test_Account_Provisioning_Process)

Determine which roles are able to provision users and what sort of accounts they can provision.

* [ ] Is there any verification, vetting and authorization of provisioning requests?
* [ ] Is there any verification, vetting and authorization of de-provisioning requests?
* [ ] Can an administrator provision other administrators or just users?
* [ ] Can an administrator or other user provision accounts with privileges greater than their own?
* [ ] Can an administrator or user de-provision themselves?
* [ ] How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?

**Evidence**:

```
​
```

## 4.3.4 [Testing for Account Enumeration and Guessable User Account](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account)

Review processes that pertain to user identification looking for ways to enumerate accounts.

* [ ] The login **error** or **response time** differs from a valid and invalid username?
* [ ] The login **error** or response time differs having a valid username but a wrong password?
* [ ] The password recovery function alerts if the username exists or not? Does it take more time?
* [ ] During account creation what messages you receive if an account already exists?
* [ ] Look for other endpoints that might be used for user enumeration.

To obtain a wordlist of existing and not existing emails, you can execute the following command

```bash
cat registered_emails.txt | awk -F "@" '{print $1"@"$2"\n"$1"donotexist@"$2}' | xclip -sel clipboard
```

**Evidence**:

```
​
```

## 4.3.5 [Testing for Weak or Unenforced Username Policy](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/05-Testing_for_Weak_or_Unenforced_Username_Policy)

Check if there is any kind of account name structure like “<John.deer@email.com>” or “<jdeer@email.com>” that could lead to user name enumeration.

**Evidence**:

```
​
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/web-owasp-test-cases/4.3-identity-management-testing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.