Web application security - the fast guide 1.1 | Page 115

Chapter 6 - Attack execution (2)


P a g e | 115
(Https). Those methods is usually used on local networks not on the
internet.
Client SSL certificate with or without a smart card but this can represent
a distribution problem
Some application uses Windows-integrated authentication using NTLM or
Kerberos and authentication services like windows passport.
6.2 Attack bad passwords
Figure 44: Bad passwords
Not having a special password complexity enforcement functionality can make
attacking through the password very easy as many password are predictable or
could be a common dictionary word or even empty or has the same username
value.
Some users tend to leave the default or preconfigured password which makes
the attack much easier.
Attack requirement:
 Week or no password
Attack Process
a- Try empty and default values for password.
b- Try common dictionary password.
c- If you own an account or self registered try short passwords, user name
like passwords to check if that is permitted to disclose the password
rules.