E-Arogya

Weak Password Policy (Repeated) given repeated in doc but its new
observation : Repeated
CWE : CWE-521
Description :
A weak password policy leaves sensitive data vulnerable to unauthorized access,
increases the risk of security breaches, and can lead to non-compliance with regulations.
It exposes organizations to reputational damage, financial losses, and undermines trust
with stakeholders.
Affected Path(s) :
https://his-user-management-service.satragroup.in/changepassword *-Applicable to
entire application
Impact :
Not implementing a proper password policy, could allow the users to set very easy
password that help the attackers to perform the dictionary attacks and gain access to the
user accounts
Evidence/Proof Of Concept :
Step 1: Password Policy not implemented as shown in below screenshot.

Step 2: Password Policy not implemented as shown in below screenshot

Recommendation :
Implement a strong password policy that contains:
1. one capital letter
2. one number
3. Minimum 10 characters
4. One special character.
Reference Links:
1. https://www.owasp.org/index.php/Testing_for_default_credentials_(OTGAUTHN-002)
2. https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTGAUTHN-007)
3. https://www.owasp.org/index.php/Testing_for_Weak_or_unenforced_username_
policy_(OTG-IDENT-005)
4. https://www.us-cert.gov/ncas/alerts/TA13-175