25 lines
1.6 KiB
Markdown
25 lines
1.6 KiB
Markdown
|
|
||
|
## Password-Based Login
|
||
|
|
||
|
Username/Password Enumeration
|
||
|
- Pay attention to the following:
|
||
|
Status Codes
|
||
|
Error Messages
|
||
|
Response Times
|
||
|
|
||
|
Bypassing Brute-Force Protections:
|
||
|
- Protection #1: Account lockout based on invalid login attempts
|
||
|
- Protection #2: Blocking IP based on many login attempts in quick succession
|
||
|
Both can be bypassed by adding valid login with your own credentials every few tries so there is not a succession of invalid login attempts
|
||
|
|
||
|
Bypassing Account Locking:
|
||
|
- Establish a list of candidate usernames that are likely to be valid. This could be through username enumeration or simply based on a list of common usernames.
|
||
|
- Decide on a very small shortlist of passwords that you think at least one user is likely to have. Crucially, the number of passwords you select must not exceed the number of login attempts allowed. For example, if you have worked out that limit is 3 attempts, you need to pick a maximum of 3 password guesses.
|
||
|
- Using a tool such as Burp Intruder, try each of the selected passwords with each of the candidate usernames. This way, you can attempt to brute-force every account without triggering the account lock. You only need a single user to use one of the three passwords in order to compromise an account.
|
||
|
|
||
|
HTTP Basic Authentication
|
||
|
- Old but simple so sometimes is still in use
|
||
|
- Sends the username:password after Base64 encoding it in the "Authorization" header of every response
|
||
|
- Can be compromised with a man-in-the-middle attack
|
||
|
- Often do not support brute-force protection
|
||
|
- Partially vulnerable to session-related exploits such as CSRF
|