DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Hacking a Web Application: Authentication (Part 1)

Want to learn more about web application hacks and authentication? Check out this post to gain valuable insight on data attacks and password quality.

Austin Songer user avatar by
Austin Songer
·
Sep. 15, 18 · Presentation
Like (3)
Save
Tweet
Share
7.62K Views

Join the DZone community and get the full member experience.

Join For Free

Test Password Quality

  • Review the password requirements
  • Attempt to set various kinds of weak passwords, using any self-registration or password change functions to establish the rules actually enforced.
  • Test for incomplete validation of credentials and set a strong and complex password. Attempt to log in using different variations on this password by removing the last character, changing a character’s case, and removing any special characters.
  • Having established the minimum password quality rules and the extent of password validation, identify the range of values that a password-guessing attack would need to employ to have a good probability of success.

Test for Username Enumeration

  • Identify every location within the various authentication functions where a username is submitted, including via an on-screen input field, a hidden form field, or a cookie. Common locations include the primary login, self-registration, password change, log out, and account recovery.
  • For each location, submit two requests containing a valid and an invalid username. Review every detail of the server’s responses to each pair of requests, including the HTTP status code, any redirects, information displayed on-screen, any differences hidden in the HTML page source, and the time taken for the server to respond.
  • If you observe any differences between the responses where a valid and invalid username is submitted, repeat the test with a different pair of values and confirm that a systematic difference exists that can provide a basis for automated username enumeration.
  • Check for any other sources of information leakage within the application that may enable you to compile a list of valid usernames.
  • Locate any subsidiary authentication that accepts a username and determine whether it can be used for username enumeration.

Test for Password Guessing

  • Identify every location within the application where user credentials are submitted. The two main instances typically are the main login function and the password change function.
  • At each location, using an account that you control manually sends several requests containing the valid username and other invalid credentials.
    • Monitor the application’s responses to identify any differences.
    • After about 10 failed logins, if the application has not returned a message about account lockout, submit a request containing valid credentials.
    • If this request succeeds, an account lockout policy probably is not in force.
  • If you do not control any accounts, attempt to enumerate or guess a valid username and make several invalid requests using this guess, monitoring for any error messages about account lockout.
application authentication

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Asynchronous HTTP Requests With RxJava
  • Kotlin Is More Fun Than Java And This Is a Big Deal
  • Why You Should Automate Code Reviews
  • Event Driven 2.0

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: