This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Bypassing Authentication Schema (OTG-AUTHN-004)"
m (Brief Summary added)
m (Spell check)
|Line 28:||Line 28:|
** Session Fixation
** Session Fixation
* Sql Injection (HTML Form
* Sql Injection (HTML Form )
Revision as of 20:09, 6 November 2006
OWASP Testing Guide v2 Table of Contents
While most most application require authentication for gaining access to private information or tasks, not every authentication method is able to provide adequate security level.
Negligence, ignorance or simple understatement of the security threats often result in authentication schemes that can be easily bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.
In addition to this it is often possible to bypass compulsory authentication tampering with requests and tricking the application into thinking that we're already authenticated either by modifying the given URL parameter or by manipulating form or by counterfeiting sessions.
Description of the Issue
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Bypassing authentication schema methods:
- Direct page request
In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede a qualche risorsa richiamandola direttamente si puo' bypassare lo schem di autenticazione
- Parameter Modification
In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione
For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.
- Session Issue
- Session ID Prediction
- Session Fixation
- Sql Injection (HTML Form Authentication)
Gray Box testing and example
Testing for Topic X vulnerabilities:
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.