Weak Security Question Answer
Check List
Methodology
Black Box
Bypass Security Question Answer
Navigate to the target application’s account registration page
Create a new user account and observe the security question setup process
Capture the list of pre-generated security questions presented to the user
Document all available questions and analyze whether they fall into weak categories such as: Publicly discoverable information (e.g., favorite movie, date of birth) or Easily guessable answers (e.g., favorite color)
Log out of the account
Navigate to the Forgot Password or account recovery functionality
Initiate a password reset request for the created account
Observe how many security questions must be answered (one or multiple)
Attempt to answer the security questions using: Publicly available information (e.g., search engines, social media) or Common wordlists for brute-force attempts
Monitor the application’s behavior when submitting incorrect answers: Check whether unlimited attempts are allowed
If the application allows self-generated security questions, configure custom questions during account setup
Create weak or trivial self-generated questions (e.g., simple math, username-based, or password-revealing questions)
Trigger the password recovery process and confirm that the system uses the weak self-generated questions for verification
Attempt to enumerate usernames and retrieve associated security questions (if possible)
Confirm whether weak security questions and/or insufficient brute-force protections allow bypass of the password reset mechanism
Verify that successful guessing of security question answers results in unauthorized password reset capability
White Box
Cheat Sheet
Last updated