The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

even to an amateur attacker who manually enters some common usernames

and passwords into their browser. Values frequently encountered even in pro-

duction systems include:

■■

test

■■

testuser

■■

admin

■■

administrator

■■

demo

■■

demouser

■■

password

■■

password1

■■

password123

■■

qwerty

■■

test123

■■

letmein

■■

[organization’s name]

In this situation, any serious attacker will use automated techniques to

attempt to guess passwords, based on lengthy lists of common values. Given

today’s bandwidth and processing capabilities, it is possible to make thou-

sands of login attempts per minute from a standard PC and DSL connection.

Even the most robust passwords will be eventually broken in this scenario.

Various techniques and tools for using automation in this way are described

in detail in Chapter 13. Figure 6-2 demonstrates a successful password guess-

ing attack against a single account using Burp Intruder. The successful login

attempt can be clearly distinguished by the difference in the HTTP response

code, the response length, and the absence of the “login incorrect” message.

N OT E

Download 5,76 Mb.

Do'stlaringiz bilan baham: