Incomplete Validation of Credentials

Well-designed authentication mechanisms enforce various requirements on

passwords, such as a minimum length or the presence of both uppercase and

lowercase characters. Correspondingly, some poorly designed authentication

mechanisms not only do not enforce these good practices but also do not take

account of users’ own attempts to comply with them.

For example, some applications truncate passwords and so only validate the

first n characters. Some applications perform a case-insensitive check of pass-

words. Some applications strip out unusual characters (sometimes on the pre-

text of performing input validation) before checking passwords.

Each of these limitations on password validation reduces by an order of

magnitude the number of variations available in the set of possible passwords.

Through experimentation, you can determine whether a password is being

fully validated, or whether any limitations are in effect. You can then fine-tune

your automated attacks against the login to remove unnecessary test cases,

thereby massively reducing the number of requests necessary to compromise

user accounts.

HACK STEPS

■