This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Testing for Bypassing Authentication Schema (OTG-AUTHN-004)

Revision as of 13:45, 6 November 2006 by Gfedon (talk | contribs) (Black Box testing and example)

Jump to: navigation, search

OWASP Testing Guide v2 Table of Contents

Brief Summary

In this test we want to try to understand the authentication schema and if there are some method/attack to bypassing this schema.

Description of the Issue Short Description of the Issue: Topic and Explanation

Black Box testing and example

Bypassing authentication schema methods:

  • Direct page request

In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede a qualche risorsa richiamandola direttamente si puo' bypassare lo schem di autenticazione

  • Parameter Modification

In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione

For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.

  • Session Issue
    • Session ID Prediction
    • Session Fixation
  • Sql Injection (HTML Form Auhtentication)

Gray Box testing and example

Testing for Topic X vulnerabilities:
Result Expected:



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.