This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for User Enumeration and Guessable User Account (OWASP-AT-002)"
(New page: {{Template:OWASP Testing Guide v3}} '''This is a draft of a section of the new Testing Guide v3''' == Brief Summary == <br> ..here: we describe in "natural language" what we want to test...) |
|||
| Line 1: | Line 1: | ||
{{Template:OWASP Testing Guide v3}} | {{Template:OWASP Testing Guide v3}} | ||
| − | |||
== Brief Summary == | == Brief Summary == | ||
<br> | <br> | ||
| − | . | + | The scope of this test is to verify if is possible to collect a set of valid users interacting with the authentication mechanism of the application. This test will be usefull for the brute force testing in which we verify if given a valid username it is possible to find a valid password. |
<br> | <br> | ||
== Description of the Issue == | == Description of the Issue == | ||
<br> | <br> | ||
| + | The tester should interact with the authentication mechanism of the application to understand if sending particular request the application answer in a different manner. | ||
...here: Short Description of the Issue: Topic and Explanation | ...here: Short Description of the Issue: Topic and Explanation | ||
<br> | <br> | ||
== Black Box testing and example == | == Black Box testing and example == | ||
| − | '''Testing for | + | '''Testing for Valid user/right password''' <br> |
...<br> | ...<br> | ||
'''Result Expected:'''<br> | '''Result Expected:'''<br> | ||
...<br><br> | ...<br><br> | ||
| + | |||
| + | '''Testing for Valid user/wrong password''' <br> | ||
| + | ...<br> | ||
| + | '''Result Expected:'''<br> | ||
| + | ...<br><br> | ||
| + | |||
| + | '''Testing for Valid user/wrong password''' <br> | ||
| + | ...<br> | ||
| + | '''Result Expected:'''<br> | ||
| + | ...<br><br> | ||
| + | |||
== Gray Box testing and example == | == Gray Box testing and example == | ||
| − | '''Testing for | + | '''Testing for Authentication error messages'''<br> |
| − | + | Verify that the application answer in the same manner for every client request of authentication that produce a fail<br> | |
'''Result Expected:'''<br> | '''Result Expected:'''<br> | ||
...<br><br> | ...<br><br> | ||
Revision as of 12:50, 29 June 2008
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
The scope of this test is to verify if is possible to collect a set of valid users interacting with the authentication mechanism of the application. This test will be usefull for the brute force testing in which we verify if given a valid username it is possible to find a valid password.
Description of the Issue
The tester should interact with the authentication mechanism of the application to understand if sending particular request the application answer in a different manner.
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Testing for Valid user/right password
...
Result Expected:
...
Testing for Valid user/wrong password
...
Result Expected:
...
Testing for Valid user/wrong password
...
Result Expected:
...
Gray Box testing and example
Testing for Authentication error messages
Verify that the application answer in the same manner for every client request of authentication that produce a fail
Result Expected:
...
References
Whitepapers
...
Tools
...
