2. Identity Management Testing
• Identity management testing required in each and every web application for the roles and
responsibilities.
• Various test cases required to prepare to check identity management testing like user
registration process, user enumeration, user account provisioning, user roles, unenforced
password policy.
• To test the user roles need to validate the system roles defined within the application
sufficiently based on the functionality and information.
• For the security tester need to assure that user roles are properly defined with their
respective functionality.
• To test this process the best way to execute it through manually also with the help of spider
tool can identify the respective access pages of different users.
3. Identity Management Testing
• User provisioning account also play important part for the identity management testing.
• Security Tester need to assure that the same user can not provision the user with high
privilege.
• Need to verify that the same user can not de- provision themselves.
• Need to verify if the administrator create multiple administrator If yes then need to check
business requirement.
• This process also test through the manual testing and with the burp suite tool.
• User enumeration attack is the first level of attack on the login pages.
• Here the attackers grab the user name without having any information of the user.
• Security Tester need to assure the response from the server for the correct and wrong
credentials remain same.
• Security tester can also verify the response length with the burp suite tool to enumerate the
account name.
4. Identity Management Testing
• In the below screenshot it reveals that the response length signify the presence of valid name
and invalid name.
5. Identity Management Testing
• When the user registered himself into the application, the password policy play the crucial
role.
• A weak password policy make the task of the attacker easier to crack the user credentials.
• Security tester need to assure that strong password policy have to be follow by the
application.
• Manual security testing help to identify that whether the application implemented the strong
password policy or not.
• Some of the recommended suggestion are that password should be equal to or greater than
eight character, it is combination of numeric, upper case and lower case character, it expire
after 90 days etc.
• Attackers generally use the password crackers tools like Brutus, wfuz,rainbow crack etc. to
crash the password.
6. Authentication Testing
• Authentication page is entry point for the attacker to access the restricted pages.
• Compromising the credentials means the efforts to create security restriction by developer
on other areas get inadequate.
• Security Tester need to create various test cases to identify the weakness on the
authentication pages.
• Attackers gain access of the credentials with the help of various techniques and tools.
• Various test cases need to be created to test the authentication testing.
• Some of the examples are credentials must passes over encrypted channel, default
credentials ,Bypass the authentication mechanism, browser cache the credentials ,weak
password policy, weak security challenge/answer, weak password change or reset
functionality, remember password functionality.
• Authentication testing process can be test through the manual testing and also with the
automated tools.
• Some of the good tools are IBM appscan, acunetix, Web inspect helps to identifying
authentication related vulnerability very easily.
• Various types of authentication mechanism used by the application are basic, form-based,
NTLM etc.
7. Authentication Testing
• To test the credentials is working over encrypted channel, identify manually with the proxy
tool or with the Wireshark tools.
• Tester need to verify that some times credentials working over https and http protocols too.
• Below screenshot shows that credentials passes over http protocol.
8. Authentication Testing
• In the below screenshot shows that user id and password travel over http in the base 64
encoded format.
• Various techniques can be used by the attackers to bypass the authentication mechanism of
the application.
9. • Also to bypass the authentication attacker can login into the application with SQL injection
attacks
For example the sql injection ‘ or 1=1– help the attackers to by pass the authentication:
Authentication Testing
10. Authentication Testing
• Any techniques which reached to the restricted pages without entering the correct
credentials can be named as bypass the authentication.
• Security tester must assure that restricted pages can only be accessible through login
mechanism
11. Authentication Testing
• In the below screenshot of paypal website shows that how the password echo from the
server when the invalid user or password entered by the user.
• Here the attackers can retrieve the html files from the browser history pages to view the
source code .
12. Authentication Testing
• As shown here the echo's password shown in the html source code of the page in the clear
text format.
13. Authentication Testing
• Security tester need to verify each mechanism where the credentials sent over the server
from the client machine.
• In the below screen shots of shopify website on the user password reset page, the
password value also travel over the GET method.
14. Authentication Testing
• Most of the time developer open the entry points of default credentials on the production
server too.
• Security tester need to verify the same with manually or with automated tools (brutus as
shown in below screen shot) to identify the default credentials access.
15. Authentication Testing
• Most of the ecommerce application required to have the remember me password
functionality because it become ease for the customer to re login into the application
without remembering the password.
• But this functionality become dangerous when the application business domain changed
from ecommerce to the banking domain.
• Remember me password save on the user browser which can retrieve easily through web
browser.
16. Authentication Testing
• Most of the application provide authority to the user to set the challenge question and
answers for password recovery.
• A lazy user always set the very easy question & answer which can easily breakable by the
attackers.
• Some of the examples are “what is your name”, what come after 8” etc.
• Attackers with the help of password crackers tools can easily break the security challenge.
• Security tester must ensure that such kind of weak challenges avoided into the application.
• Security Tester also need to verify the password reset and change password functionalities.
• Most of the application provide the authorization token to the registered email address.
Security tester must ensure that the reset link always bind with time period and destroy
after it use.
• The authorization token should be puzzle and lengthy so that attacker should not easily
predict the token id.
• Change password feature only allowed if the previous password feature also available with
the request.
• Security tester must ensure that no user can change the password of other user.