Web App Authentication


The impact of authentication vulnerabilities can be very severe. Once an attacker has either bypassed authentication or has brute-forced their way into another user’s account, they have access to all the data and functionality that the compromised account has. If they are able to compromise a high-privileged account, such as a system administrator, they could take full control over the entire application and potentially gain access to internal infrastructure.

Even compromising a low-privileged account might still grant an attacker access to data that they otherwise shouldn’t have, such as commercially sensitive business information. Even if the account does not have access to any sensitive data, it might still allow the attacker to access additional pages, which provide a further attack surface. Often, certain high-severity attacks will not be possible from publicly accessible pages, but they may be possible from an internal page.

Password-Based Logins

Brute Force

Username enumeration – This greatly reduces the time and effort required to brute-force a login because the attacker is able to quickly generate a shortlist of valid usernames.

While attempting to brute-force a login page, you should pay particular attention to any differences in:

  • Status codes: Sometimes a guess returns a different status code, a strong indication that a username is correct. It is best practice for a website to always return the same status code regardless of the outcome.
  • Error messages: Returned errors sometimes differ depending on whether both the username AND password are incorrect or only the password was incorrect. It is best practice for websites to use identical, generic messages in both cases.
    • Burp Intruder > Options > Grep-Extract
  • Response times: Deviations in response times may suggest valid accounts. This is common with OWA. The delay can sometimes be made more obvious by entering excessively long passwords that take sites noticeably longer to handle.
    • Burp Intruder > Columns > Response received & Response completed