Guessing User Credentials:-
When we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username/password attack.
Technical Tips:-
Application should answer in the same manner for every failed attempt of authentication.
For Example:
Credentials submitted are not valid..
Or
UserName or Password mismatched..
EXTRA – TIPS:-
We can force to create user credentials in the following composition or a variance of such:
• at least: 1 uppercase character (A-Z)
• at least: 1 lowercase character (a-z)
• at least: 1 digit (0-9)
• at least one special character (!"£$%&...)
• a defined minimum length (e.g. 8 chars)
• a defined maximum length (as with all external input)
• no contiguous characters (e.g. 123abcd)
• not more than 2 identical characters in a row (1111)
CODE:-
/*
* 1. paste this basicValidate() in <SCRIPT></SCRIPT>
* 2. before submit() call this method
*
*/
//login.jsp
//**************************************************************************************************************************
<script type="text/javascript" src="js/sha.js"></script>
<script type="text/javascript" src="js/validations.js"></script>
<script language="javascript">
function calcHash()
{
//do salted hash code here..
}
function validate()
{
//var specialChars = "#,+,~,\`,=,\,,.,@,!,~,*,^,\`,&,$,(,),[,],{,},:,;,>,<,%,?,<,>,\",\'";
document.getElementById( "errors" ).innerHTML = '';
if ( trim(document.getElementById("uName").value) == "" || trim(document.getElementById("passwd").value) == "" )
{
document.getElementById( "errors" ).innerHTML = "Login / Password is not empty...";
return false;
}
if( ( !isValidAlphaNumericInput( document.getElementById("uName").value, "" ) ) || ( !isValidAlphaNumericInput( document.getElementById("passwd").value, "" ) ) ) //specialChars ) ) )
{
document.getElementById( "errors" ).innerHTML = "Login / Password is not an Alpha Numeric...";
return false;
}
/* validation for blankspace of userid
else if( isBlankSpace( trim(document.getElementById("uName").value) ) )
{
document.getElementById( "errors" ).innerHTML = "User Name is not be a blank space..";
return false;
}*/
else
{
//newHMAC();
calcHash();
}
}
</script>
<body>
<form action="login?action=login" name="frm" focus='uName'
method="post" autocomplete="off"><br />
UserName: <input type="text" name="uName" id="uName" styleClass="dropdown" size="30" /> <br />
Password :<input type="password" name="passwd" id="passwd" styleClass="dropdown" size="30" /> <br />
<input type="submit" value="Login" onclick="return validate()" />
<input type="reset" />
</form>
Subscribe To
Posts
All Comments
Showing posts with label user login error message. Show all posts
Showing posts with label user login error message. Show all posts
Tuesday, June 22, 2010
Subscribe to:
Comments (Atom)
