Identification and authentication errors are problems in the user’s identity verification processes that can allow unauthorized access.
Description: Using weak or predictable passwords and storing them insecurely.
Example: Passwords without sufficient complexity or storing passwords in plain text format.
Description: Insufficient verification of user identity.
Example: Lack of two-factor authentication or use of unreliable authentication mechanisms.
Description: Issues that allow attackers to bypass or compromise login mechanisms.
Example: Attacks on the login process, such as brute-forcing or attacks on password reset mechanisms.
Set the minimum password length to 8 characters or more. Be sure to check passwords for weak combinations using lists of common weak passwords such as SecLists. To improve security, instead of the standard requirements (uppercase and lowercase letters, numbers or special characters), you should increase the minimum length to 12 characters without limiting the composition. The system checks weak passwords against lists of common untrustworthy combinations.
Use modern brute-force tools that can perform simple password transformations, such as replacing letters with similar numbers or special characters (P@ssword1). Use lists of weak combinations from SecLists to select passwords. Tools such as Hydra or John the Ripper allow you to automate the process of selecting passwords from these lists, which significantly speeds up the attack.
Specialized solutions: Use protection services against DDoS and brute-force attacks, such as Cloudflare, to protect against excessive requests to the system.
Request Limiters: Implement request limiters using frameworks such as Symfony, Laravel, or Yii2. This will limit the number of login attempts in a short period of time.
Captcha or secret question: After several failed login attempts, require the user to complete a captcha or answer a secret question. It is important that the question is not easy to guess.
Random Delay: Add a random delay (1-2 seconds) after a failed login attempt. This will greatly complicate a brute force attack without causing discomfort to legitimate users.
Use tools like Hydra, Burp Suite Intruder, or OWASP ZAP to perform automated attacks on login pages. Check how efficiently the request limits are working and whether it is possible to bypass them by using different IP addresses or proxy servers.
Explore the options for automating the passage of captchas or involving external services to solve them, which can significantly simplify an attack on protected systems.
The ffuf.md documentation provides several examples of traversing paths and parameters using the ffuf tool that illustrate how an attacker can perform a brute force attack on a web application.
To protect against such attacks, use request limits, captchas, blocking access by IP addresses, and random delays between requests. This will help effectively prevent brute force attacks on your web application.
Using ffuf: A well-known tool for carrying out brute force attacks:
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ
Looping through possible URLs or parameters to reveal hidden paths or vulnerabilities on the server. Using ffuf to attack various URLs and check if the protection is a captcha:
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -H “User-Agent: ffuf-agent”