Username enumeration
Bypass authentication using various SQL Injections on username and password field
Is it possible to use resources without authentication? Access violation
Check if user credentials are transmitted over SSL or not
Weak login functions HTTP and HTTPS both are available
Lack of password confirmation on:
a. Change email address
b. Change password
c. Manage 2FA
Test user account lockout mechanism on brute force attack
Variation: If the server blocks instant user requests, then try with the time throttle option from the intruder and repeat the process again.
a. Bypass rate limiting by tampering with user agent to Mobile User agent
b. Bypass rate limiting by tampering user agent to Anonymous user agent
c. Bypass rate limiting by using null byte
Last updated 1 year ago
