Guessing User Credentials:-
When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.
Technical Tips:-
Application should answer in the same manner for every failed attempt of authentication.
For Example:
Credentials submitted are not valid..
Or
UserName or Password mismatched..
EXTRA – TIPS:-
We can force to create user credentials in the following composition or a variance of such:
• at least: 1 uppercase character (A-Z)
• at least: 1 lowercase character (a-z)
• at least: 1 digit (0-9)
• at least one special character (!"£$%&...)
• a defined minimum length (e.g. 8 chars)
• a defined maximum length (as with all external input)
• no contiguous characters (e.g. 123abcd)
• not more than 2 identical characters in a row (1111)
CODE:-
/*
* 1. paste this basicValidate() in <SCRIPT></SCRIPT>
* 2. before submit() call this method
*
*/
//login.jsp
//**************************************************************************************************************************
<script type="text/javascript" src="js/sha.js"></script>
<script type="text/javascript" src="js/validations.js"></script>
<script language="javascript">
function calcHash()
{
//do salted hash code here..
}
function validate()
{
//var specialChars = "#,+,~,\`,=,\,,.,@,!,~,*,^,\`,&,$,(,),[,],{,},:,;,>,<,%,?,<,>,\",\'";
document.getElementById( "errors" ).innerHTML = '';
if ( trim(document.getElementById("uName").value) == "" || trim(document.getElementById("passwd").value) == "" )
{
document.getElementById( "errors" ).innerHTML = "Login / Password is not empty...";
return false;
}
if( ( !isValidAlphaNumericInput( document.getElementById("uName").value, "" ) ) || ( !isValidAlphaNumericInput( document.getElementById("passwd").value, "" ) ) ) //specialChars ) ) )
{
document.getElementById( "errors" ).innerHTML = "Login / Password is not an Alpha Numeric...";
return false;
}
/* validation for blankspace of userid
else if( isBlankSpace( trim(document.getElementById("uName").value) ) )
{
document.getElementById( "errors" ).innerHTML = "User Name is not be a blank space..";
return false;
}*/
else
{
//newHMAC();
calcHash();
}
}
</script>
<body>
<form action="login?action=login" name="frm" focus='uName'
method="post" autocomplete="off"><br />
UserName: <input type="text" name="uName" id="uName" styleClass="dropdown" size="30" /> <br />
Password :<input type="password" name="passwd" id="passwd" styleClass="dropdown" size="30" /> <br />
<input type="submit" value="Login" onclick="return validate()" />
<input type="reset" />
</form>
No comments:
Post a Comment