Web application security - the fast guide 1.1 | Page 116
Chapter 6 - Attack execution (2)
P a g e | 116
6.3 Brute force attack
Login Process
Figure 45:Brute force attack technique
Leaving login process to be repeated unconditionally will make authentication
vulnerable to brute force attack which will end in braking authentication with
the speed that a penetration system can iteratively try different possible
passwords.
Attack requirement:
A. No or client side only check for number of login fails.
B. Not very gonium powerful password.
C. If a self-registering account Is available better to create an account.
Attack process:
A. Before going directly to automate the attack explore the locking policy
manually beginning by trying at least (10) bad password values on the
same account, check any messages and accessibility of the account with
the right password.
B. If the account was locked, try to monitor any cookie to discover it the
locking is based on client side information that you can manipulate.
C. See if the system allows you to login with right user name and password,
if yes you can keep guessing.
D. Monitor to find any difference in response between bad login and
successful one to depend on when start in automated phase. A Burp
comparer tool can provide a good way to do that