Blue Flower

Guessing User Credentials

 

 

When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.

 

 

 

Technical Tips:-

 

 

 

Application should answer in the same manner for every failed attempt of authentication.

 

For Example:

 

 

 

Credentials submitted are not valid..

 

Or

 

UserName or Password mismatched..

 

 

 

EXTRA – TIPS:-

 

We can force to create user credentials in the following composition or a variance of such:

 

  • at least: 1 uppercase character (A-Z)
  • at least: 1 lowercase character (a-z)
  • at least: 1 digit (0-9)
  • at least one special character (!"£$%&...)
  • a defined minimum length (e.g. 8 chars)
  • a defined maximum length (as with all external input)
  • no contiguous characters (e.g. 123abcd)
  • not more than 2 identical characters in a row (1111)

 

 

CODE