The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Target an enumerated or guessed username, and attempt to register

Download 5,76 Mb.

Pdf ko'rish

bet	270/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 266 267 268 269 270 271 272 273 ... 875

Bog'liq
3794 1008 4334

If no error message results, log in using the credentials you specified
Chapter 6

Target an enumerated or guessed username, and attempt to register

this username multiple times with a list of common passwords. When

the application rejects one specific password, you have probably

found the existing password for the targeted account.

■

If no error message results, log in using the credentials you specified

and see what happens. You may need to register several users, and

modify different data held within each account, to understand

whether this behavior can be used to gain unauthorized access to

other users’ accounts.

Chapter 6

■

Attacking Authentication

153

70779c06.qxd:WileyRed 9/14/07 3:13 PM Page 153

Predictable Usernames

Some applications automatically generate account usernames according to

some predictable sequence (for example, cust5331, cust5332, etc.). When an

application behaves like this, an attacker who can discern the sequence can

very quickly arrive at a potentially exhaustive list of all valid usernames,

which can be used as the basis for further attacks. Unlike enumeration meth-

ods that rely on making repeated requests driven by wordlists, this means of

determining usernames can be carried out very non-intrusively with minimal

interaction with the application.

HACK STEPS

■

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 266 267 268 269 270 271 272 273 ... 875