# Test User Registration Process (WSTG-IDNT-02) | ID | | ------------ | | WSTG-IDNT-02 | ## Summary Some websites offer a user registration process that automates (or semi-automates) the provisioning of system access to users. The identity requirements for access vary from positive identification to none at all, depending on the security requirements of the system. Many public applications completely automate the registration and provisioning process because the size of the user base makes it impossible to manage manually. However, many corporate applications will provision users manually, so this test case may not apply. ## Test Objectives * Verify that the identity requirements for user registration are aligned with business and security requirements. * Validate the registration process. ## How to Test Verify that the identity requirements for user registration are aligned with business and security requirements: 1. Can anyone register for access? 2. Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met? 3. Can the same person or identity register multiple times? 4. Can users register for different roles or permissions? 5. What proof of identity is required for a registration to be successful? 6. Are registered identities verified? Validate the registration process: 1. Can identity information be easily forged or faked? 2. Can the exchange of identity information be manipulated during registration? ### Example In the WordPress example below, the only identification requirement is an email address that is accessible to the registrant. ![WordPress Registration Page](https://2155402958-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F2nOx8D1TbCQfDcSK4OoH%2Fuploads%2Fgit-blob-a4df0fc395225da42cf12afb29e2ae72a23fb0fe%2FWordpress_registration_page.jpg?alt=media)\ \&#xNAN;*Figure 4.3.2-1: WordPress Registration Page* In contrast, in the Google example below the identification requirements include name, date of birth, country, mobile phone number, email address and CAPTCHA response. While only two of these can be verified (email address and mobile number), the identification requirements are stricter than WordPress. ![Google Registration Page](https://2155402958-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F2nOx8D1TbCQfDcSK4OoH%2Fuploads%2Fgit-blob-a853ad539b25e1bf60917bdf2bebdb87ffe65f2e%2FGoogle_registration_page.jpg?alt=media)\ \&#xNAN;*Figure 4.3.2-2: Google Registration Page* ## Remediation Implement identification and verification requirements that correspond to the security requirements of the information the credentials protect. ## Tools A HTTP proxy can be a useful tool to test this control. ## References [User Registration Design](https://mashable.com/2011/06/09/user-registration-design/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp.boireau.io/4-web_application_security_testing/03-identity_management_testing/02-test_user_registration_process.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.