This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for authentication"

From OWASP
Jump to: navigation, search
(Authentication Testing)
Line 7: Line 7:
  
 
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors.
 
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors.
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. Testing the authentication schema means to understand how the authentication process of the application works and try to break it.
+
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication.  An common example of such a process is the logon process . Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
  
 
[[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary)user account]]<br>
 
[[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary)user account]]<br>
First we test if there are some default user accounts or guessable username/password (dictionary testing)
+
First we test if there are default user accounts or guessable username/password combinations (dictionary testing)
  
 
[[Brute Force Testing AoC|4.4.2 Brute Force]]<br>
 
[[Brute Force Testing AoC|4.4.2 Brute Force]]<br>
Then we can begin a brute force testing (not easy to implement cause time limit and lockuot of user)
+
When a dictionary type attack fails, a tester can attempt to use brute force methods to gain authentication.  Brute force testing is not easy to accomplish for testers because of the time required and the possible lockout of the tester.
  
 
[[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br>
 
[[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br>
Maybe in passive mode, when the tester study the authentication schema, he should notice that not all the application's private resources are adequately protected and you can access it without authenticate yourself.
+
Other passive testing methods attempt to bypass the authentication schema by recognizing that not all of the application's resources are adequately protected.  The tester can access these resources without authentication.
  
 
[[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br>
 
[[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br>
Directory Traversal Testing is a particular method to find a way to bypass the application and access to resources: tipically this are misconfiguration errors.
+
Directory Traversal Testing is a particular method to find a way to bypass the application and gain access to system resources.  Typically, these vulnerabilities are caused by misconfiguration.
  
 
[[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br>
 
[[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br>
Here we test how the application manage the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).  
+
Here we test how the application manages the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).  
  
 
[[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br>
 
[[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br>
As final test we check that the logout and cahing functions are properly implemented.
+
As a final test we check that the logout and caching functions are properly implemented.
  
  
 
{{Category:OWASP Testing Project AoC}}
 
{{Category:OWASP Testing Project AoC}}

Revision as of 16:00, 15 November 2006

[Up]

OWASP Testing Guide v2 Table of Contents

Authentication Testing


Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors. In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication. An common example of such a process is the logon process . Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.

4.4.1 Default or guessable (dictionary)user account
First we test if there are default user accounts or guessable username/password combinations (dictionary testing)

4.4.2 Brute Force
When a dictionary type attack fails, a tester can attempt to use brute force methods to gain authentication. Brute force testing is not easy to accomplish for testers because of the time required and the possible lockout of the tester.

4.4.3 Bypassing authentication schema
Other passive testing methods attempt to bypass the authentication schema by recognizing that not all of the application's resources are adequately protected. The tester can access these resources without authentication.

4.4.4 Directory traversal/file include
Directory Traversal Testing is a particular method to find a way to bypass the application and gain access to system resources. Typically, these vulnerabilities are caused by misconfiguration.

4.4.5 Vulnerable remember password and pwd reset
Here we test how the application manages the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).

4.4.6 Logout and Browser Cache Management Testing
As a final test we check that the logout and caching functions are properly implemented.



OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents