Brute Force Attacks: Authentication actually takes place in many other parts of the web application other then the main login page.
It is also present when you change your password, update your account information, use the password recovery functionality, answering secret questions, and when you use the remember me option.
If any of other authentication processes in flawed, the security of all other authentication mechanisms may be compromised.
The frightening thing about authentication vulnerabilities is that they can open the door for all other accounts to be compromised.
Imagine the carnage when an administrator’s account is compromised because of poor authentication!
We will be using the Brute Force exercise in DVWA as our guide to complete an online brute force authentication attack.
It is HTML form-based authentication page; just like over 90% of web application use.
Despite ongoing efforts to include additional factors into the authentication process, such as CAPTCHA and challenge questions, the traditional username and password is still the most popular authentication mechanism.
This attack is much different than the offline password has cracking that we completed with John the Ripper.
We will now be interacting directly with web application and database that process the username and password parameters during authentication.
Online brute force authentication hacking is much slower than offline password hash cracking because we are making repeated requests to the application and must wait for it to generate a response and send it back.