Insecure Logon Systems: Many web applications require some sort of authentication or login process prior to their use. Because of the importance of the logon process, it is essential that it be handled safely and securely.
You must take care that the incorrect or improper entry of information does not reveal data that an attacker can use to gain additional information about a system.
Applications can track information relating to improper or incorrect logons by users if so enabled. Typically, this information comes in log form, with entries listing items such as these.
- Entry of an invalid users ID with a valid password.
- Entry of a valid user ID with an invalid password.
- Entry of an invalid user ID and password.
Applications should be designed to return generic information that does not reveal information such as correct usernames.
Web apps that return a message such as “username invalid” or “password invalid” can give an attacker a target to focus on—such as correct password.
Performing a Password Crack
One tool designed to uncover and crack passwords for web applications and websites is a utility known as Brutus.
Brutus is not a new tool, but it does demonstrate one way an attacker can uncover passwords for a website and applications.
Brutus is a password cracker that is designed to decode different password types present in web applications.
Brutus is simple to use, as are most tools in this category. Follow these steps:
- Enter the IP address in the Target field in Brutus. This is the IP address of the server on which the password is intended to be broken.
- Select the type of password crack to perform in the Type field. Brutus has the ability to crack password using HTTP, FTP, and POP3.
- Enter the port over which to crack the password.
- Configure the Authentication options for the system. If the system doesn’t require a username or uses only a password or PIN, choose the USE Username option. For known usernames, the Single User option may be used and the username entered in the box below it.
- Set the pass Mode and pass File options. Brutus can run the password crack against a dictionary word list. At this point, the password-cracking process can begin; once Brutus has cracked the password, the Positive Authentication field will display it.
Brutus is not the newest password cracker in this category, but it is well known and effective. Another cracker is this category is THC Hydra.