The Hacker Recipes
GitHub
Twitter
Exegol
Tools
Searchโฆ
Introduction
Active Directory
Reconnaissance
Movement
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
Security policies
Password change
๐ ๏ธ Password reset
Account creation
๐ ๏ธ Account deletion
๐ ๏ธ Logging in
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
๐ ๏ธ Physical
Locks
Networking
Machines
Super secret zones
๐ ๏ธ Intelligence gathering
CYBINT
OSINT
GEOINT
๐ ๏ธ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
๐ ๏ธ mobile apps
Android
iOS
Powered By
GitBook
๐ ๏ธ Logging in
Theory
link default passwords
Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.
or bruteforce
Practice
or authentication bypass
Brute-force
Brute-forcing can have 2 interesting purposes during a pentest engagement:
1.
Verifying that the web application implements security measures against brute-forcing.
2.
Taking over an account by guessing its credentials.
One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)
Account locking can lead to a denial of service and allow user enumeration. Check the
OWASP recommendation
on how it should be implemented.
User enumeration
User enumeration can be made possible depending on the:
Status code (is the status code retrieved, always the same?)
Error messages (does the error messages give a hint on whether the account exists?)
Response time (is the response time always the same?)
JSON Web Tokens (JWS) / OAuth 2.0
Check the following pages for issues regarding
JWS
and
OAuth 2.0
.
SQL injection
The tool
sqlmap
can unveil SQL injections on log-in forms.
sqlmap -r $REQUEST_FILE -p $LOGIN_PARAM,$PWD_PARAM
Use the
--level
and
--delay
options in pentest engagements to avoid issues (aggressive payloads and denial of service)
For manual testing:
SQL injection (PayloadsAllTheThings)
โ
๐ ๏ธ NoSQL injection
For manual testing:
NoSQL injection (PayloadsAllTheThings)
โ
๐ ๏ธ LDAP injection
For manual testing:
LDAP injection (PayloadsAllTheThings)
โ
Encrypted requests
Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.
References
Vulnerabilities in password-based login | Web Security Academy
WebSecAcademy
How to secure your authentication mechanisms | Web Security Academy
WebSecAcademy
JSON Web Token for Java - OWASP Cheat Sheet Series
Authentication - OWASP Cheat Sheet Series
What Is Broken Authentication?
Auth0 - Blog
OWASP Top Ten 2017 | A2:2017-Broken Authentication | OWASP Foundation
Login Bypass
HackTricks
Previous
๐ ๏ธ Account deletion
Next - Web services
User inputs
Last modified
10mo ago
Copy link
Outline
Theory
Practice
Brute-force
User enumeration
JSON Web Tokens (JWS) / OAuth 2.0
SQL injection
๐ ๏ธ NoSQL injection
๐ ๏ธ LDAP injection
Encrypted requests
References