The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

accounts to have identical credentials. In the first instance, the applica-

tion’s behavior will effectively disclose to one user the credentials of a

different user. In the second instance, subsequent logins by one of the

users will result in access to the other user’s account.

■■

An attacker may exploit this behavior to carry out a successful brute-

force attack, even though this may not be possible elsewhere due to

restrictions on failed login attempts. An attacker can register a specific

username multiple times with different passwords, while monitoring

for the differential response that indicates that an account with that

username and password already existed. The attacker will have ascer-

tained a target user’s password without making a single attempt to log

in as that user.

Badly designed self-registration functionality can also provide a means for

username enumeration. If an application disallows duplicate usernames, then

an attacker may attempt to register large numbers of common usernames to

identify the existing usernames that are rejected.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham: