Authentication Failures (WIP)

Summary

Common types of

Detailed

Exploitation Techniques

It's

Username and Password Brute-Force with BurpSuite Intruder

This could be used in authentication sites, like login pages that do not have protections against brute-force attacks, such as max login attempts, temporary lock, rate limit, or CAPTCHA, among others. We can use Burp Suite to make a brute-force attack using dictionaries or well-known usernames and passwords.

Intercept a petition to the target endpoint using the Proxy tab, right-click the petition, and hit Send to Intruder

Go to the Intruder tab, then select the target field to be changed and hit the Add button

Check that the desired field is surrounded by symbols, which means it has been selected properly. Then, in the right panel, add the desired payloads or set dictionaries, and hit the Start Attack button on top

Another window will be displayed with the petitions and their values. Here, the results can be compared to check if we receive different responses, the length of them, or other interesting values that could indicate that we have valid credentials

Technique 2

The

Check

Impact

It c

Inform

Mitigation Strategies

It cou

Awar

Checklist for Developers and Sysadmins

PreviousCryptographic Failures (WIP)NextRemote File Inclusion (WIP)

Last updated 5 months ago

hashtagExploitation Techniques

hashtagUsername and Password Brute-Force with BurpSuite Intruder

hashtagTechnique 2

hashtagImpact

hashtagMitigation Strategies

hashtagChecklist for Developers and Sysadmins