Skip to content

fix #75 link to real site #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 27, 2023
+2 −2
Merged

fix #75 link to real site #88

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions 2023/en/src/0xa9-improper-assets-management.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,8 @@ An API has a "<ins>data flow blindspot</ins>" if:
A social network implemented a rate-limiting mechanism that blocks attackers
from using brute force to guess reset password tokens. This mechanism wasn't
implemented as part of the API code itself but in a separate component between
the client and the official API (www.socialnetwork.com). A researcher found a
beta API host (www.mbasic.beta.socialnetwork.com) that runs the same API,
the client and the official API (```api.socialnetwork.owasp.org```). A researcher found a
beta API host (```beta.api.socialnetwork.owasp.org```) that runs the same API,
including the reset password mechanism, but the rate-limiting mechanism was not
in place. The researcher was able to reset the password of any user by using
simple brute force to guess the 6 digit token.
Expand Down