Difference between revisions of "Testing for authentication"

From OWASP
Jump to: navigation, search
(Final edit)
(32 intermediate revisions by 8 users not shown)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
{{Template:OWASP Testing Guide v4}}
  
{{Template:OWASP Testing Guide v2}}
+
''' 4.5 Authentication Testing '''
 
+
=== Authentication Testing ===
+
 
----
 
----
  
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors.
 
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. Testing the authentication schema means to understand how work the authentication process of the application and try to break it.
 
  
[[Default or Guessable User Account Testing AoC|4.4.1 Default or guessable (dictionary)user account]]<br>
+
Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying her identity. Authentication depends upon one or more authentication factors.
First we test if there are some default user account or guessable username password (dictionary testing)
+
 
 +
 
 +
In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication.  A common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.
 +
 
 +
 
 +
[[Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|4.5.1 Testing for Credentials Transported over an Encrypted Channel  (OTG-AUTHN-001)]]  
 +
 
 +
[[Testing for default credentials (OWASP-AT-003)|4.5.2 Testing for default credentials (OTG-AUTHN-002)]]
 +
 
 +
[[Testing for Weak lock out mechanism (OWASP-AT-004)|4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)]]
  
[[Brute Force Testing AoC|4.4.2 Brute Force]]<br>
+
[[Testing for Bypassing Authentication Schema (OWASP-AT-005)|4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)]]
Then we can begin a brute force testing (not easy to implement cause time limit and lockuot of user)
+
  
[[Bypassing Authentication Schema AoC|4.4.3 Bypassing authentication schema]]<br>
+
[[Testing for Vulnerable Remember Password (OWASP-AT-006)|4.5.5 Test remember password functionality (OTG-AUTHN-005)]]  
Maybe in passive mode, when the tester study the authentication schema, he should notice that not all the application's private resources are adequately protected and you can access it without authenticate yourself.
+
  
[[Directory Traversal Testing AoC|4.4.4 Directory traversal/file include]] <br>
+
[[Testing for Browser cache weakness (OWASP-AT-007)|4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)]]  
Directory Traversal Testing is a particular method to find a way to bypass the application and access to resources: tipically this are misconfiguration errors
+
  
[[Vulnerable Remember Password and Pwd Reset AoC|4.4.5 Vulnerable remember password and pwd reset]]<br>
+
[[Testing for Weak password policy (OWASP-AT-008)|4.5.7 Testing for Weak password policy (OTG-AUTHN-007)]]
Here we test how the application manage the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).
+
  
[[Logout and Browser Cache Management Testing AoC|4.4.6 Logout and Browser Cache Management Testing]]<br>
+
[[Testing for Weak security question/answer (OTG-AUTHN-008)|4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)]]  
As final test we check that the logout and cahing functions are properly implemented.
+
  
 +
[[Testing for weak password change or reset functionalities (OWASP-AT-011)|4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)]]
  
{{Category:OWASP Testing Project AoC}}
+
[[Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)|4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)]]

Revision as of 10:04, 14 May 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


4.5 Authentication Testing



Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying her identity. Authentication depends upon one or more authentication factors.


In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication. A common example of such a process is the log on process. Testing the authentication schema means understanding how the authentication process works and using that information to circumvent the authentication mechanism.


4.5.1 Testing for Credentials Transported over an Encrypted Channel (OTG-AUTHN-001)

4.5.2 Testing for default credentials (OTG-AUTHN-002)

4.5.3 Testing for Weak lock out mechanism (OTG-AUTHN-003)

4.5.4 Testing for bypassing authentication schema (OTG-AUTHN-004)

4.5.5 Test remember password functionality (OTG-AUTHN-005)

4.5.6 Testing for Browser cache weakness (OTG-AUTHN-006)

4.5.7 Testing for Weak password policy (OTG-AUTHN-007)

4.5.8 Testing for Weak security question/answer (OTG-AUTHN-008)

4.5.9 Testing for weak password change or reset functionalities (OTG-AUTHN-009)

4.5.10 Testing for Weaker authentication in alternative channel (OTG-AUTHN-010)