This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Testing for Bypassing Authentication Schema (OTG-AUTHN-004)

From OWASP
Revision as of 13:45, 6 November 2006 by Gfedon (talk | contribs) (Black Box testing and example)

Jump to: navigation, search

OWASP Testing Guide v2 Table of Contents

Brief Summary


In this test we want to try to understand the authentication schema and if there are some method/attack to bypassing this schema.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Bypassing authentication schema methods:

  • Direct page request

In alcuni casi la richiesta di autenticazione della web application avviene solamente quando si cerca di accedere alla home page, mentre se si accedede a qualche risorsa richiamandola direttamente si puo' bypassare lo schem di autenticazione

  • Parameter Modification

In alcuni casi l'autenticazione si basa sul valore con cui sono impostati alcuni parametri quindi e' sufficiente modificarli per bypassare lo schema di autenticazione

For example, /webapps/login?validUser=yes&isAutheticated=yes can be manually entered into the browser in an attempt to bypass the application server's authentication mechanism.

  • Session Issue
    • Session ID Prediction
    • Session Fixation
  • Sql Injection (HTML Form Auhtentication)


Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents 

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Retrieved from "https://wiki.owasp.org/index.php?title=Testing_for_Bypassing_Authentication_Schema_(OTG-AUTHN-004)&oldid=11876"