4.3 Identity Management Testing

4.3.1

Identify and document roles used by the application.
Review the granularity of the roles and the needs behind the permissions given

Evidence:

4.3.2

Verify that the identity requirements for user registration are aligned with business and security requirements.

Can anyone register for access? Is it intended?
Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?
Can the same person or identity register multiple times?
Can users register for different roles or permissions?
What proof of identity is required for a registration to be successful?
Are registered identities verified?
Can users registered using weak password policies?
Does the application automatically logs in the new user?

Validate the registration process.

Can identity information be easily forged or faked?
Can the exchange of identity information be manipulated during registration

Evidence:

Determine which roles are able to provision users and what sort of accounts they can provision.

Is there any verification, vetting and authorization of provisioning requests?
Is there any verification, vetting and authorization of de-provisioning requests?
Can an administrator provision other administrators or just users?
Can an administrator or other user provision accounts with privileges greater than their own?
Can an administrator or user de-provision themselves?
How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?

Evidence:

Review processes that pertain to user identification looking for ways to enumerate accounts.

The login error or response time differs from a valid and invalid username?
The login error or response time differs having a valid username but a wrong password?
The password recovery function alerts if the username exists or not? Does it take more time?
During account creation what messages you receive if an account already exists?
Look for other endpoints that might be used for user enumeration.

To obtain a wordlist of existing and not existing emails, you can execute the following command

cat registered_emails.txt | awk -F "@" '{print $1"@"$2"\n"$1"donotexist@"$2}' | xclip -sel clipboard

Evidence:

Last updated 6 months ago

4.3.1

Identify and document roles used by the application.
Review the granularity of the roles and the needs behind the permissions given

Evidence:

4.3.2

Verify that the identity requirements for user registration are aligned with business and security requirements.

Can anyone register for access? Is it intended?
Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?
Can the same person or identity register multiple times?
Can users register for different roles or permissions?
What proof of identity is required for a registration to be successful?
Are registered identities verified?
Can users registered using weak password policies?
Does the application automatically logs in the new user?

Validate the registration process.

Can identity information be easily forged or faked?
Can the exchange of identity information be manipulated during registration

Evidence:

4.3.3

Determine which roles are able to provision users and what sort of accounts they can provision.

Is there any verification, vetting and authorization of provisioning requests?
Is there any verification, vetting and authorization of de-provisioning requests?
Can an administrator provision other administrators or just users?
Can an administrator or other user provision accounts with privileges greater than their own?
Can an administrator or user de-provision themselves?
How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?

Evidence:

4.3.4

Review processes that pertain to user identification looking for ways to enumerate accounts.

The login error or response time differs from a valid and invalid username?
The login error or response time differs having a valid username but a wrong password?
The password recovery function alerts if the username exists or not? Does it take more time?
During account creation what messages you receive if an account already exists?
Look for other endpoints that might be used for user enumeration.

To obtain a wordlist of existing and not existing emails, you can execute the following command

cat registered_emails.txt | awk -F "@" '{print $1"@"$2"\n"$1"donotexist@"$2}' | xclip -sel clipboard

Evidence:

4.3.5

Check if there is any kind of account name structure like “” or “” that could lead to user name enumeration.

Evidence:

4.3.3

4.3.4

4.3.5

Check if there is any kind of account name structure like “” or “” that could lead to user name enumeration.

Identity Management Testing

Test Role Definitions

Test User Registration Process

Test Account Provisioning Process

Testing for Account Enumeration and Guessable User Account

Testing for Weak or Unenforced Username Policy

John.deer@email.com

jdeer@email.com