Want to learn more about web application hacks and authentication? Check out this post to gain valuable insight on data attacks and password quality.
Test Password Quality
- Review the password requirements
- Attempt to set various kinds of weak passwords, using any self-registration or password change functions to establish the rules actually enforced.
- Test for incomplete validation of credentials and set a strong and complex password. Attempt to log in using different variations on this password by removing the last character, changing a character’s case, and removing any special characters.
- Having established the minimum password quality rules and the extent of password validation, identify the range of values that a password-guessing attack would need to employ to have a good probability of success.
Test for Username Enumeration
- Identify every location within the various authentication functions where a username is submitted, including via an on-screen input field, a hidden form field, or a cookie. Common locations include the primary login, self-registration, password change, log out, and account recovery.
- For each location, submit two requests containing a valid and an invalid username. Review every detail of the server’s responses to each pair of requests, including the HTTP status code, any redirects, information displayed on-screen, any differences hidden in the HTML page source, and the time taken for the server to respond.
- If you observe any differences between the responses where a valid and invalid username is submitted, repeat the test with a different pair of values and confirm that a systematic difference exists that can provide a basis for automated username enumeration.
- Check for any other sources of information leakage within the application that may enable you to compile a list of valid usernames.
- Locate any subsidiary authentication that accepts a username and determine whether it can be used for username enumeration.
Test for Password Guessing
- Identify every location within the application where user credentials are submitted. The two main instances typically are the main login function and the password change function.
- At each location, using an account that you control manually sends several requests containing the valid username and other invalid credentials.
- Monitor the application’s responses to identify any differences.
- After about 10 failed logins, if the application has not returned a message about account lockout, submit a request containing valid credentials.
- If this request succeeds, an account lockout policy probably is not in force.
- If you do not control any accounts, attempt to enumerate or guess a valid username and make several invalid requests using this guess, monitoring for any error messages about account lockout.
This post was originally posted on dzone.com