The Hacker Recipes
GitHubTwitterExegolTools
Searchโ€ฆ
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
Security policies
Password change
๐Ÿ› ๏ธ Password reset
Account creation
๐Ÿ› ๏ธ Account deletion
๐Ÿ› ๏ธ Logging in
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
๐Ÿ› ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐Ÿ› ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐Ÿ› ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐Ÿ› ๏ธ mobile apps
Android
iOS
Powered By GitBook
๐Ÿ› ๏ธ Logging in

Theory

link default passwords
Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.
or bruteforce

Practice

or authentication bypass

Brute-force

Brute-forcing can have 2 interesting purposes during a pentest engagement:
  1. 1.
    Verifying that the web application implements security measures against brute-forcing.
  2. 2.
    Taking over an account by guessing its credentials.
One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)
Account locking can lead to a denial of service and allow user enumeration. Check the OWASP recommendation on how it should be implemented.

User enumeration

User enumeration can be made possible depending on the:
  • Status code (is the status code retrieved, always the same?)
  • Error messages (does the error messages give a hint on whether the account exists?)
  • Response time (is the response time always the same?)

JSON Web Tokens (JWS) / OAuth 2.0

Check the following pages for issues regarding JWS and OAuth 2.0.

SQL injection

The tool sqlmap can unveil SQL injections on log-in forms.
sqlmap -r $REQUEST_FILE -p $LOGIN_PARAM,$PWD_PARAM
Use the --level and --delay options in pentest engagements to avoid issues (aggressive payloads and denial of service)
For manual testing: SQL injection (PayloadsAllTheThings)โ€‹

๐Ÿ› ๏ธ NoSQL injection

For manual testing: NoSQL injection (PayloadsAllTheThings)โ€‹

๐Ÿ› ๏ธ LDAP injection

For manual testing: LDAP injection (PayloadsAllTheThings)โ€‹

Encrypted requests

Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.

References

Vulnerabilities in password-based login | Web Security Academy
WebSecAcademy
How to secure your authentication mechanisms | Web Security Academy
WebSecAcademy
JSON Web Token for Java - OWASP Cheat Sheet Series
Authentication - OWASP Cheat Sheet Series
What Is Broken Authentication?
Auth0 - Blog
OWASP Top Ten 2017 | A2:2017-Broken Authentication | OWASP Foundation
Login Bypass
HackTricks
Previous
๐Ÿ› ๏ธ Account deletion
Next - Web services
User inputs
Last modified 10mo ago
Copy link
Outline
Theory
Practice
Brute-force
User enumeration
JSON Web Tokens (JWS) / OAuth 2.0
SQL injection
๐Ÿ› ๏ธ NoSQL injection
๐Ÿ› ๏ธ LDAP injection
Encrypted requests
References