Hacking a Web Application: Authentication (Part 1)
Want to learn more about web application hacks and authentication? Check out this post to gain valuable insight on data attacks and password quality.
Join the DZone community and get the full member experience.Join For Free
Test Password Quality
- Review the password requirements
- Attempt to set various kinds of weak passwords, using any self-registration or password change functions to establish the rules actually enforced.
- Test for incomplete validation of credentials and set a strong and complex password. Attempt to log in using different variations on this password by removing the last character, changing a character’s case, and removing any special characters.
- Having established the minimum password quality rules and the extent of password validation, identify the range of values that a password-guessing attack would need to employ to have a good probability of success.
Test for Username Enumeration
- Identify every location within the various authentication functions where a username is submitted, including via an on-screen input field, a hidden form field, or a cookie. Common locations include the primary login, self-registration, password change, log out, and account recovery.
- For each location, submit two requests containing a valid and an invalid username. Review every detail of the server’s responses to each pair of requests, including the HTTP status code, any redirects, information displayed on-screen, any differences hidden in the HTML page source, and the time taken for the server to respond.
- If you observe any differences between the responses where a valid and invalid username is submitted, repeat the test with a different pair of values and confirm that a systematic difference exists that can provide a basis for automated username enumeration.
- Check for any other sources of information leakage within the application that may enable you to compile a list of valid usernames.
- Locate any subsidiary authentication that accepts a username and determine whether it can be used for username enumeration.
Test for Password Guessing
- Identify every location within the application where user credentials are submitted. The two main instances typically are the main login function and the password change function.
- At each location, using an account that you control manually sends several requests containing the valid username and other invalid credentials.
- Monitor the application’s responses to identify any differences.
- After about 10 failed logins, if the application has not returned a message about account lockout, submit a request containing valid credentials.
- If this request succeeds, an account lockout policy probably is not in force.
- If you do not control any accounts, attempt to enumerate or guess a valid username and make several invalid requests using this guess, monitoring for any error messages about account lockout.
Opinions expressed by DZone contributors are their own.