4.3 Identity Management Testing

Identity Management Testing

4.3.1 Test Role Definitions

• Identify and document roles used by the application.

• Review the granularity of the roles and the needs behind the permissions given

Evidence:

​

4.3.2 Test User Registration Process

Verify that the identity requirements for user registration are aligned with business and security requirements.

• Can anyone register for access? Is it intended?

• Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?

• Can the same person or identity register multiple times?

• Can users register for different roles or permissions?

• What proof of identity is required for a registration to be successful?

• Are registered identities verified?

• Can users registered using weak password policies?

• Does the application automatically logs in the new user?

Validate the registration process.

• Can identity information be easily forged or faked?

• Can the exchange of identity information be manipulated during registration

Evidence:

4.3.3 Test Account Provisioning Process

Determine which roles are able to provision users and what sort of accounts they can provision.

• Is there any verification, vetting and authorization of provisioning requests?

• Is there any verification, vetting and authorization of de-provisioning requests?

• Can an administrator provision other administrators or just users?

• Can an administrator or other user provision accounts with privileges greater than their own?

• Can an administrator or user de-provision themselves?

• How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?

Evidence:

4.3.4 Testing for Account Enumeration and Guessable User Account

Review processes that pertain to user identification looking for ways to enumerate accounts.

• The login error or response time differs from a valid and invalid username?

• The login error or response time differs having a valid username but a wrong password?

• The password recovery function alerts if the username exists or not? Does it take more time?

• During account creation what messages you receive if an account already exists?

• Look for other endpoints that might be used for user enumeration.

To obtain a wordlist of existing and not existing emails, you can execute the following command

Evidence:

4.3.5 Testing for Weak or Unenforced Username Policy

Check if there is any kind of account name structure like “[email protected]” or “[email protected]” that could lead to user name enumeration.

Evidence: