This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Testing for User Enumeration and Guessable User Account (OWASP-AT-002)

From OWASP
Revision as of 12:50, 29 June 2008 by Mmeucci (talk | contribs)

Jump to: navigation, search

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here


Brief Summary


The scope of this test is to verify if is possible to collect a set of valid users interacting with the authentication mechanism of the application. This test will be usefull for the brute force testing in which we verify if given a valid username it is possible to find a valid password.

Description of the Issue


The tester should interact with the authentication mechanism of the application to understand if sending particular request the application answer in a different manner. ...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Valid user/right password
...
Result Expected:
...

Testing for Valid user/wrong password
...
Result Expected:
...

Testing for Valid user/wrong password
...
Result Expected:
...

Gray Box testing and example

Testing for Authentication error messages
Verify that the application answer in the same manner for every client request of authentication that produce a fail
Result Expected:
...

References

Whitepapers
...
Tools
...