Nowadays, all web application have a log in portal or some kind of mechanism to authenticate a user who it claim to be.

This kind of attacks can be categorized in three main categories: password-based login, multi-factor authentication and other authentication mechanisms.

Password Based logins

In this type of logins a username and a password is required in order to verify a user's identity. Hence, if there is any kind of technique behaviour on the website which could allow an attacker to guess the username or password, it could mean that is is possible to impersonate any user on the application.

This behaviour could consist of:

  • Status code: In some cases the web application will response with a different status code if the guessed username and/or password is correct.

  • Error message: The error message might like "Username is invalid" might vary if the guessed username and/or password is NOT correct

  • Response time: If the guessed username and/or password is correct, it might take an extra amount of time to response because the application might have to perform extra steps.

Username guessing and enumeration

If you are auditing the software from a company it is pretty common that the username in their applications follows some of the following structures:

  • <firstname>.<surname>@<companyname>.com

  • <firstname><surname_initial>@<companyname>.com

You can also guess its structure by making performing some OSINT techniques or brute force attacks using a wordlist of usernames.

Account locking

Some websites try to prevent brute-forcing by locking the user account if a number of failed login attempts is met. Hence, if an attacker tries several wrong passwords and a message is received saying that the account is locked, we can take for certain than the account exists.

Password brute forcing

Account locking bypass

If the web application bans your IP after too many log in attempts, you need first to check how many wrong log in attempts are needed thus the application bans your IP (#BlockTries). Then, try to perform a brute forcing attack but after #BlockTries-1 perform a successful login, so the counter is reset to 0.

Multi-factor authentication

MFA process not required

It might be the case that just after submitting the credentials but before submitting the MFA code, you might already logged in. So, by changing the URL you can access the functions of the website.

M2A brute forcing code

Some websites doesn't provide countermeasures in order to perform brute force attacks to the 2FA code. Hence, if the code is small it might be easily brute forced and so spoof the victim's account.

M2A doesn't validate properly authentication code

Another vulnerability that in 2FA the application doesn't check whose code is submitted and only checks if the code valid. Thus, an attacker could provide a 2FA authentication code from a legitim account bypassing the authentication process.

Other authentication mechanisms

Password rese broken mechanism

Some websites can fail to validate the token provided to reset victim's password. So, an attacker can exploit this vulnerability by submitting a token from a different account or by just removing the token and providing victim's username.

Password reset poisoning via middleware

It can be the case that the application uses some kind of middleware in order to send the reset password email with the reset password link on it. If the middleware uses headers like X-Forwarded-Host to modify the domain of the reset URL, an attacker could send a malicious domain, obtaining the password reset token once the victim has clicked on the link.

Password brute-force via password change

After being logged in to the web application, most of the web site allow the user to change the user's password by providing the current password and the new password a couple of times. Thus, if the application behaves like you enter two different new passwords, an error message such as "Current password is incorrect" will appear, but if you enter a valid current password, but two different new passwords, the message says "New passwords do not match". Hence, you can message to enumerate correct passwords.


Last updated