🛠️Logging in

Theory

link default passwords

Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.

or bruteforce

or authentication bypass

Brute-forcing can have 2 interesting purposes during a pentest engagement:

Verifying that the web application implements security measures against brute-forcing.
Taking over an account by guessing its credentials.

One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)

Account locking can lead to a denial of service and allow user enumeration. Check the OWASP recommendation on how it should be implemented.

User enumeration can be made possible depending on the:

Status code (is the status code retrieved, always the same?)
Error messages (does the error messages give a hint on whether the account exists?)
Response time (is the response time always the same?)

Check the following pages for issues regarding JWS and OAuth 2.0.

The tool sqlmap can unveil SQL injections on log-in forms.

sqlmap -r $REQUEST_FILE -p $LOGIN_PARAM,$PWD_PARAM

Use the --level and --delay options in pentest engagements to avoid issues (aggressive payloads and denial of service)

Some web applications don't use TLS to encrypt login requests, this can lead to account takeover via a Man-in-the-Middle attack.

Last updated 8 months ago