[Owasp-testing] Authentication Mechanism

daniel cuthbert daniel.cuthbert at owasp.org
Tue Dec 29 07:44:28 EST 2009


I think the guide explains it well, as with any kind of testing, a strict
methodical approach needs to be taken. The enumeration of the functionality
and technology in use (as covered under Information Gathering).

Once armed with that info, it makes it easier to test. Section 4.4 does
cover a fair amount, granted there are some new techniques I use that would
be useful to add but there is enough in there to get results with 99% of the
apps out there currently.



2009/12/29 Seba <seba at owasp.org>

> Hi,
>
> You'd have to be more specific about this.
> I assume these parameters reference a user/password combination?
>
> There is no particular section in the Testing Guide that helps you identify
> the exact authentication mechanism.
> But the referenced page states: "... Testing the authentication schema
> means understanding how the authentication process works and using that
> information to circumvent the authentication mechanism."
>
> There are numerous ways to perform authentication, so it does require an
> 'understanding' of how it works.
> Do you feel the testing guide needs a section on this?
>
> regards
>
> Seba
>
> On Tue, Dec 29, 2009 at 5:31 AM, Zaki Akhmad <zakiakhmad at gmail.com> wrote:
>
>> On Mon, Dec 28, 2009 at 4:17 PM, Seba <seba at owasp.org> wrote:
>>
>> > There is a whole section on authentication:
>> > http://www.owasp.org/index.php/Testing_for_authentication
>>
>> If I found something like this for authentication,
>>
>> <applet>
>>   <param name=" " value="  ">
>>   <param name="  " value="  ">
>>    ...
>> </applet>
>>
>> where is it on the list?
>>
>> --
>> Zaki Akhmad
>>
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20091229/450651ca/attachment.html 


More information about the Owasp-testing mailing list