WackoPicko/Weak-Username-Password
Jump to navigation
Jump to search
| You are here: | Weak Username/Password
|
Description
How many web applications (intranet, extranet, internet) suffer from weak authentication mechanisms? And how many applications suffer from weak passwords? I have worked for companies that develop web applications from a framework that contains the string:
if($username=="admin" && $password=="password") {
/***
* Grant access with full privs
*/
}
This example illustrates a weak combination of admin/admin as login/password, that gives access to the backend of the application.
Proof of Concept
No need for a PoC, here is the table of valid credentials:
| Priv | Username | Password |
|---|---|---|
| Standard | scanner1 | scanner1 |
| Standard | scanner2 | scanner2 |
| Standard | bryce | bryce |
| Admin | admin | admin |
| Admin | adamd | adamd |
How to detect?
- Hydra is likely to be used in this case.
- Refer to this article for more information: Bruteforce.
How to protect against it?
- Enforce passwords (strong password policy)
- Encrypt the passwords in your database with a strong encryption mechnaism
- Protect your application against brute force attacks (e.g. deny IP address from 3 unsuccessful login attempts). The attacker could still change his IP but it is more complicated.