Major Tested URL : https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/user/pentest-admin
Severity : medium
Criticality Justification
Weak passwords could result in account compromise
Steps To Reproduce
- Login as an admin user.
- Visit the Users and Groups page.
- Edit a user and set their password to a single-character password.
- Password will be changed successfully. (https://api.us.cobalt.io/v1/attachments/att_8HxMeEK/preview) (https://api.us.cobalt.io/v1/attachments/att_KYDnDT8/preview)
Suggested Fix
- Implement a strong password policy for all users. Consider implementing a stronger password policy for accounts with Administrative or other elevated privileges.
- Cobalt recommends using the following criteria for a secure password policy:
- Minimum Length: For standard users, require at least 12 characters. For Administrative users, consider requiring longer passwords, such as 15 or more characters.
- Mixed Case*: Require passwords with a mix of upper and lowercase letters, to increase complexity.
- Numbers*: Require passwords to include at least one number.
- Special Characters*: Require at least one special character, such as !, ,, @, #, $, }}, or {{%.
- Passphrases*: Do not set a maximum character limit. Encourage users to consider using passphrases, which can create longer, more memorable passwords with high entropy.
- Password Topology*: Check the password candidates against commonly used weak passwords, such as \u201cpassword1\u201d, \u201cwinter2022\u201d, or passwords with the user\u2019s name, account name, or company name in them.