Attacking password-based authentication

What is it?

Password-based authentication generally allows to register an account and set a password, or sometimes an account will be assigned to them by an administrator. Password-based authentication tends to be suseptible to brute-force attacks, account lockouts and credential stuffing attacks.

A simple example

• A vulnerable web application allows users to sign up and set a password.

• After 10 failed login attempts, an account is locked.

• If an attacker uses 9 common passwords against many user accounts, they will gain access to ones that chose weak or common passwords.

Broken authentication can often lead to:

• Account takeover

• Sensitive data exposure

Other learning resources:

• PortSwigger: https://portswigger.net/web-security/authentication

Writeups:

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

Checklist

• Can we enumerate user accounts?

  • Registration page

  • Login page

  • Password reset page

• Is there any brute-force protection?

  • Check for account lockouts

  • Check for rate limiting

  • Check for CAPTCHA

  • Check for MFA

• What is the password policy?

  • Check the strength requirements

  • Is the password stored securely? (E.g. if we reset, will it send us the cleartext password)

  • Is the password reset token sufficiently unique?

• Are credentials predictable?

  • Check for default credentials

  • Check for username conventions (E.g. firstname.lastname)

• Is autocomplete enabled on password fields?

• Check the password reset functionality

  • Knowledge-based questions

  • Token leakage via Referrer

  • Token predictability

• Is authentication happening client-side?

• Are there any backups or leaked files with creds?

• Is there remember me or auto login functionality?

  • Are the tokens for this predictable?

  • How long does the token remain valid?

• Are tokens or credentials passed via the URL?

• Are there CSRF tokens?