Web application security - the fast guide 1.1 | Page 116

Chapter 6 - Attack execution (2) P a g e | 116 6.3 Brute force attack Login Process Figure 45:Brute force attack technique Leaving login process to be repeated unconditionally will make authentication vulnerable to brute force attack which will end in braking authentication with the speed that a penetration system can iteratively try different possible passwords. Attack requirement: A. No or client side only check for number of login fails. B. Not very gonium powerful password. C. If a self-registering account Is available better to create an account. Attack process: A. Before going directly to automate the attack explore the locking policy manually beginning by trying at least (10) bad password values on the same account, check any messages and accessibility of the account with the right password. B. If the account was locked, try to monitor any cookie to discover it the locking is based on client side information that you can manipulate. C. See if the system allows you to login with right user name and password, if yes you can keep guessing. D. Monitor to find any difference in response between bad login and successful one to depend on when start in automated phase. A Burp comparer tool can provide a good way to do that