This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing for User Enumeration and Guessable User Account (OWASP-AT-002)
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
The scope of this test is to verify if is possible to collect a set of valid users interacting with the authentication mechanism of the application. This test will be usefull for the brute force testing in which we verify if given a valid username it is possible to find a valid password.
Description of the Issue
The tester should interact with the authentication mechanism of the application to understand if sending particular request the application answer in a different manner.
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Testing for Valid user/right password
...
Result Expected:
...
Testing for Valid user/wrong password
...
Result Expected:
...
Testing for Valid user/wrong password
...
Result Expected:
...
Gray Box testing and example
Testing for Authentication error messages
Verify that the application answer in the same manner for every client request of authentication that produce a fail
Result Expected:
...
References
Whitepapers
...
Tools
...