AUTHENTICATION TESTING

1. Credentials transport over an encrypted channel
Here, the tester will just try to understand if the data that users put into the web form, in order to log into a web site, are transmitted using secure protocols that protect them from an attacker or not.

2. Testing for user enumeration
The scope of this test is to verify if it is possible to collect a set of valid users by interacting with the authentication mechanism of the application. This test will be useful for the brute force testing, in which we verify if, given a valid username, it is possible to find the corresponding password.
This phase for collect information about authentication mechanism of the application. Try login with user and password invalid and find the error message.
error message :
Nama Pengguna dan Sandi Lewat tidak sesuai atau anda belum memiliki akun.

3. Testing for Guessable (Dictionary) User Account
Here we test if there are default user accounts or guessable username/password combinations (dictionary testing)

4. Brute Force Testing
When a dictionary type attack fails, a tester can attempt to use brute force methods to gain authentication. Brute force testing is not easy to accomplish for testers because of the time required and the possible lockout of the tester.
This attack was to test whether the target is weak against the attack brute force attack.
i’m try use hydra-gtk for brute force attack to find username and password.
the result :

5. Testing for bypassing authentication schema
Other passive testing methods attempt to bypass the authentication schema by recognizing that not all of the application's resources are adequately protected. The tester can access these resources without authentication.

6. Testing for vulnerable remember password and pwd reset
Here we test how the application manages the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).
This test is to try to find a vulnerability in facilities remember passwords and reset passwords.

but the results:
Your password reset request failed to be confirmed because it does not find the username and email address in question ..
from here we know that the web is that we filter out if the email entered is already registered or not, if not then we request a password reset can not be done.

7. Testing tor logout and browser Cache Mangement
Here we check that the logout and caching functions are properly implemented.

8. Testing for CAPTCHA
CAPTCHA (Complementely Automated Public Turing test to tel Computers and Humans Apart") is a type of challenge-response test used by many web aplications to ensure that the response is not generated by a computer.

Comments

Popular posts from this blog

Grabbing Proxy With Selenium and Python

Authorization Testing

Bypass HTML Field Restrictions