Logging in
Last updated
Was this helpful?
Last updated
Was this helpful?
link default passwords
Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.
or bruteforce
or authentication bypass
Brute-forcing can have 2 interesting purposes during a pentest engagement:
Verifying that the web application implements security measures against brute-forcing.
Taking over an account by guessing its credentials.
One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)
Account locking can lead to a denial of service and allow user enumeration. Check the on how it should be implemented.
User enumeration can be made possible depending on the:
Status code (is the status code retrieved, always the same?)
Error messages (does the error messages give a hint on whether the account exists?)
Response time (is the response time always the same?)
Use the --level and --delay options in pentest engagements to avoid issues (aggressive payloads and denial of service)
Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.
\
Check the following pages for issues regarding and .
The tool can unveil SQL injections on log-in forms.
For manual testing:
For manual testing:
For manual testing:
