Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

logging vpcab issue not severe enough #1561

Open
jmanico opened this issue Dec 12, 2024 · 3 comments
Open

logging vpcab issue not severe enough #1561

jmanico opened this issue Dec 12, 2024 · 3 comments
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet.

Comments

@jmanico
Copy link
Member

jmanico commented Dec 12, 2024

IN https://cheatsheetseries.owasp.org/cheatsheets/Logging_Vocabulary_Cheat_Sheet.html

I think that

authn_password_change_fail[:userid]

should be more severe than info, maybe even crtical

@jmanico jmanico added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. NEW_CS Issue about the creation of a new cheat sheet. HELP_WANTED Issue for which help is wanted to do the job. labels Dec 12, 2024
@kwwall
Copy link
Collaborator

kwwall commented Dec 12, 2024

IMO, 'critical' is probably overreacting, especially company still has a massive user base along with outdated mandatory password expiration and/or password complexity rules. In such situations, unless you are also comparing the 'New Password' and 'Confirm Password' on the client-side (which is advisable, but often not done), you are bound to have a lot of finger farts or violations of the password complexity rules that are still in place. And no one wants to deal with all that noise, especially if it's marked as critical. I personally think just logging it as a warning is adequate. Just my $.02.

@jmanico
Copy link
Member Author

jmanico commented Dec 12, 2024

Right now it's just info, which I think is not enough. I'd at least like to see this get bumped to warn.

@mackowski
Copy link
Collaborator

Agree @jmanico do you want to make PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet.
Projects
None yet
Development

No branches or pull requests

3 participants