Most web applications require some sort of authentication or login process before granting the user access to the services the web application offers. Due to the wealth of useful information each user may have stored within the web application database the authentication process is extremely important. The login process must be handled in a safe and secure manner and must make sure that incorrect or improper entry of information does not reveal information that an attacker can use to gain additional information or access.
Failed login attempts may result in the following
Applications should be designed in such a way that it will always return a generic message to the end user no matter which of above results is the outcome. If the application return information such as "Invalid username", this will tell the attacker that the user does not exist. If the application return information such as "Invalid password" the attacker will know that the username is correct and this is half the puzzle. An attacker may attempt a dictionary attack against the web application if it does not have a limit on failed login attempts. Usernames may also be enumerated because it will increase the chance to find an end user with a weak password. The more usernames the attacker has in his possession the greater the chance of a successful attack.
Failed login attempts may result in the following
- Invalid user ID with a valid password
- Valid user ID with an invalid password
- Invalid user ID with an invalid password
Applications should be designed in such a way that it will always return a generic message to the end user no matter which of above results is the outcome. If the application return information such as "Invalid username", this will tell the attacker that the user does not exist. If the application return information such as "Invalid password" the attacker will know that the username is correct and this is half the puzzle. An attacker may attempt a dictionary attack against the web application if it does not have a limit on failed login attempts. Usernames may also be enumerated because it will increase the chance to find an end user with a weak password. The more usernames the attacker has in his possession the greater the chance of a successful attack.