This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Bypassing Authentication Schema (OTG-AUTHN-004)"

From OWASP
Jump to: navigation, search
(Brief Summary)
(Black Box testing and example)
Line 11: Line 11:
 
<br>
 
<br>
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
Bypassing authentication schema methods:
...<br>
+
 
'''Result Expected:'''<br>
+
* Direct page request
...<br><br>
+
 
 +
In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede  a qualche risorsa richiamandola  direttamente si puo' bypassare lo schem di autenticazione
 +
 
 +
* Parameter Modification
 +
In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione
 +
 
 +
For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.
 +
 
 +
* Session Issue
 +
** Session ID Prediction
 +
** Session Fixation
 +
 
 +
* Sql Injection (HTML Form Auhtentication)
 +
 
 +
<br>
 +
 
 
== Gray Box testing and example ==  
 
== Gray Box testing and example ==  
 
'''Testing for Topic X vulnerabilities:'''<br>
 
'''Testing for Topic X vulnerabilities:'''<br>

Revision as of 13:45, 6 November 2006

OWASP Testing Guide v2 Table of Contents

Brief Summary


In this test we want to try to understand the authentication schema and if there are some method/attack to bypassing this schema.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Bypassing authentication schema methods:

  • Direct page request

In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede a qualche risorsa richiamandola direttamente si puo' bypassare lo schem di autenticazione

  • Parameter Modification

In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione

For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.

  • Session Issue
    • Session ID Prediction
    • Session Fixation
  • Sql Injection (HTML Form Auhtentication)


Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.