Hacking a Web Application: Authentication

Want to learn more about web application hacks and authentication? Check out this post to gain valuable insight on data attacks and password quality.

Test Password Quality

  • Review the password requirements
  • Attempt to set various kinds of weak passwords, using any self-registration or password change functions to establish the rules actually enforced.
  • Test for incomplete validation of credentials and set a strong and complex password. Attempt to log in using different variations on this password by removing the last character, changing a character’s case, and removing any special characters.
  • Having established the minimum password quality rules and the extent of password validation, identify the range of values that a password-guessing attack would need to employ to have a good probability of success.

Test for Username Enumeration

  • Identify every location within the various authentication functions where a username is submitted, including via an on-screen input field, a hidden form field, or a cookie. Common locations include the primary login, self-registration, password change, log out, and account recovery.
  • For each location, submit two requests containing a valid and an invalid username. Review every detail of the server’s responses to each pair of requests, including the HTTP status code, any redirects, information displayed on-screen, any differences hidden in the HTML page source, and the time taken for the server to respond.
  • If you observe any differences between the responses where a valid and invalid username is submitted, repeat the test with a different pair of values and confirm that a systematic difference exists that can provide a basis for automated username enumeration.
  • Check for any other sources of information leakage within the application that may enable you to compile a list of valid usernames.
  • Locate any subsidiary authentication that accepts a username and determine whether it can be used for username enumeration.

Test for Password Guessing

  • Identify every location within the application where user credentials are submitted. The two main instances typically are the main login function and the password change function.
  • At each location, using an account that you control manually sends several requests containing the valid username and other invalid credentials.
    • Monitor the application’s responses to identify any differences.
    • After about 10 failed logins, if the application has not returned a message about account lockout, submit a request containing valid credentials.
    • If this request succeeds, an account lockout policy probably is not in force.
  • If you do not control any accounts, attempt to enumerate or guess a valid username and make several invalid requests using this guess, monitoring for any error messages about account lockout.

This post was originally posted on dzone.com