🛠️ Logging in

Theory

link default passwords

Authentication issues are important to take into consideration. A login page can be the beginning of serious issues regarding accounts takeover.

or bruteforce

Practice

or authentication bypass

Brute-force

Brute-forcing can have 2 interesting purposes during a pentest engagement:

Verifying that the web application implements security measures against brute-forcing.
Taking over an account by guessing its credentials.

One has to check whether a defense mechanism is used (account locking, blocking IP, CAPTCHA, etc.)

{% hint style="warning" %} Account locking can lead to a denial of service and allow user enumeration. Check the OWASP recommendation on how it should be implemented. {% endhint %}

User enumeration

User enumeration can be made possible depending on the:

Status code (is the status code retrieved, always the same?)
Error messages (does the error messages give a hint on whether the account exists?)
Response time (is the response time always the same?)

JSON Web Tokens (JWS) / OAuth 2.0

Check the following pages for issues regarding JWS and OAuth 2.0.

SQL injection

The tool sqlmap can unveil SQL injections on log-in forms.

sqlmap -r $REQUEST_FILE -p $LOGIN_PARAM,$PWD_PARAM

{% hint style="warning" %} Use the --level and --delay options in pentest engagements to avoid issues (aggressive payloads and denial of service) {% endhint %}