The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

If usernames are generated by the application, try to obtain several user-

Download 5,76 Mb.

Pdf ko'rish

bet	271/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 267 268 269 270 271 272 273 274 ... 875

Bog'liq
3794 1008 4334

This can be used as the basis for a brute-force attack against the login and other attacks where valid usernames are required, such as the

If usernames are generated by the application, try to obtain several user-

names in quick succession and determine whether any sequence or pat-

tern can be discerned.

■

If so, extrapolate backwards to obtain a list of possible valid usernames.

This can be used as the basis for a brute-force attack against the login

and other attacks where valid usernames are required, such as the

exploitation of access control flaws (see Chapter 8).

Predictable Initial Passwords

In some applications, users are created all at once or in sizeable batches and are

automatically assigned initial passwords, which are then distributed to them

through some means. The means of generating passwords may enable an

attacker to predict the passwords of other application users. This kind of vul-

nerability is more common on intranet-based corporate applications — for

example, where every employee has an account created on their behalf, and

receives a printed notification of their password.

In the most vulnerable cases, all users receive the same password, or one

closely derived from their username or job function. In other cases, generated

passwords may contain sequences that could be identified or guessed with

access to a very small sample of initial passwords.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 267 268 269 270 271 272 273 274 ... 875