Authentication Testing( Who are you) !
Let's get started !
To identify individuals in a group of people we need any unique combination of resources by which we can identify the individual. That combination can be his first name, last name, address or SSN. These all are resources that can help users to identify uniquely. This is the case with humans but if we want to identify in web- application for that web-application uses “Authentication”. Let us discuss it in detail.
What Is Authentication !
Well , It is the process of verifying the identity of a person or a device. Authentication is used by a server when the server needs to know exactly who is accessing their information or site. In authentication, the user or computer has to prove its identity to the server or client. A common example is entering a username and password when you log into the website.
In the case of a web application they use different methods of authentications , it can be username password or username with the OTP sent to your mobile phone. If any attacker is familiar with your username and password or other factors that you use for authentication, he can easily impersonate your identity.
A simple example of authentication bypass is there are some webpages or functionality that can be accessed only after login but as soon as an attacker visits that page directly then there is possibility that the authentication might not be working there. Authentication-related issues can exist at different stages of SDLC.
List of various bugs associated with the authentication mechanisms:
1:)
Test for user enumeration
2:)
Test for Authentication bypass
3:)
Test for the brute force protection or No Rate Limit Protection
4:)
Test for the "Remember Me" Functionality and Password quality.
5:)
Test for the password reset/recovery functionality.
6:)
Test for the Multi-factor authentication for OTP (One time password) expiry or the Weak two-factor authentication implementation.
7:)
Test for the password Changing functionality or the CSRF in Password Change.
8:)
Test for the Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) , if the website/Webapp has only.
9:)
Duplicate registration / Overwrite existing user.
10:)
DOS at Name/Password field in Signup Page.
11:)
HttpOnly flag not set on critical Cookies.
Image taken from the @hunter 0x7
For more in depth , Please visit the given link;
https://maniesh360neupane.wixsite.com/hackedlifed/post/attacking-authentication-in-modern-web-applications
If you like and love this article or the content than feel free to give us feedback so we can improve and can bring more articles for you !
If you have any questions or regards than !oCntact us on these given links ;
Twitter:
https://twitter.com/ManieshNeupane?t=rrVcAQigL0kR9gUbpXt21g&s=09
Instagram:
https://instagram.com/maniesh.neupane?igshid=YmMyMTA2M2Y=
Thank you !
Regards: Maniesh Neupane 🇳🇵
Great article
ReplyDelete