🛠️Logging in
Theory
link default passwords
Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.
or bruteforce
Practice
or authentication bypass
Brute-force
Brute-forcing can have 2 interesting purposes during a pentest engagement:
Verifying that the web application implements security measures against brute-forcing.
Taking over an account by guessing its credentials.
One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)
Account locking can lead to a denial of service and allow user enumeration. Check the OWASP recommendation on how it should be implemented.
User enumeration
User enumeration can be made possible depending on the:
Status code (is the status code retrieved, always the same?)
Error messages (does the error messages give a hint on whether the account exists?)
Response time (is the response time always the same?)
JSON Web Tokens (JWS) / OAuth 2.0
Check the following pages for issues regarding JWS and OAuth 2.0.
SQL injection
The tool sqlmap can unveil SQL injections on log-in forms.
Use the --level
and --delay
options in pentest engagements to avoid issues (aggressive payloads and denial of service)
For manual testing: SQL injection (PayloadsAllTheThings)
🛠️ NoSQL injection
For manual testing: NoSQL injection (PayloadsAllTheThings)
🛠️ LDAP injection
For manual testing: LDAP injection (PayloadsAllTheThings)
Encrypted requests
Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.
Resources
\
Last updated
Was this helpful?