🛠️Logging in

Theory

link default passwords

Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.

or bruteforce

Practice

or authentication bypass

Brute-force

Brute-forcing can have 2 interesting purposes during a pentest engagement:

1. Verifying that the web application implements security measures against brute-forcing.

2. Taking over an account by guessing its credentials.

One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)

User enumeration

User enumeration can be made possible depending on the:

• Status code (is the status code retrieved, always the same?)

• Error messages (does the error messages give a hint on whether the account exists?)

• Response time (is the response time always the same?)

JSON Web Tokens (JWS) / OAuth 2.0

Check the following pages for issues regarding JWS and OAuth 2.0.

SQL injection

The tool sqlmap can unveil SQL injections on log-in forms.

For manual testing: SQL injection (PayloadsAllTheThings)

🛠️ NoSQL injection

For manual testing: NoSQL injection (PayloadsAllTheThings)

🛠️ LDAP injection

For manual testing: LDAP injection (PayloadsAllTheThings)

Encrypted requests

Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.

Resources

Vulnerabilities in password-based login | Web Security AcademyWebSecAcademy

How to secure your authentication mechanisms | Web Security AcademyWebSecAcademy

JSON Web Token for Java - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

Authentication - OWASP Cheat Sheet Seriescheatsheetseries.owasp.org

What Is Broken Authentication?Auth0 - Blog

OWASP Top Ten 2017 | A2:2017-Broken Authentication | OWASP Foundationowasp.org

Page not found - HackTricksbook.hacktricks.xyz

\