rbsec
rbsec
This is somewhat covered in the [when to require MFA](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md#when-to-require-mfa) section of the MFA cheat sheet - is this the kind of thing you were thinking? It might makes sense...
Are there any situations where you'd have risk based authentication and wouldn't use some form of MFA? If not, I think then we should have a fairly small section about...
CAPTCHA is a good shout as a non-MFA way to make authentication harder - I'd forgotten about that. I'll throw together a PR at some point - I'm generally keen...
@yhojann-cl I don't think I'd agree that XSSI is a vulnerability in the web browser. If we take the [first example in the guide](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/13-Testing_for_Cross_Site_Script_Inclusion#1-sensitive-data-leakage-via-global-variables), exploiting it basically relies on three...
I could see some value to an giving some references to examples of the issue, but I think it'd need to be carefully curated. The examples would have to be...
@JCapriotti for reference, elliptical curve should pretty much always be preferred over RSA, and if you do have to use RSA, your keys should always be at least 2048 bits...
As @kingthorin, the only really reliable way to determine that they're not hashing passwords is if they ever send you *an existing* clear text password. This is probably something that...
Thinking about this, there's a somewhat related issue about [magic hashes](https://github.com/spaze/hashes) that you can test for from a blackbox perspective. It's more about hash comparison than the specific algorithm used,...
The black/white box review stuff doesn't really belong, but there's a load of defensive stuff for Java and .NET. It could certainly do with a cleanup, but I think it...
@ThunderSon I'm happy to, but it'll probably be a little while before I find time for it. But at least leaving it in my issues should stop me forgotten about...