Classic Authentication Attacks Flashcards
What are classic authentication attacks and when can they be used?
Simply, they are attacks that have been around for a while, like brute-force and password spraying. They can be used anytime when basic authentication is being utilized.
What is basic authentication?
It’s a method where the user sends an username and a password and the API performs a check to validate these credentials.
Explain what is a password spraying attack.
It’s a technique where the attacker uses a list of most common or probable passwords to try to guess the login credentials of a known user or for a list of known users.
What are the advantages of using a list of most common or probable passwords?
The attacker can consider the password policy and constraints enforced by the API. Also, it can evade security controls that would block a brute-force attack.
When performing a brute-force or password spraying attack, why is it important to check the response message for the sent requests?
It’s important to check it, because depending on the response message, you can also brute-force the usernames that exist in the API database.
What is the main difference between a brute-force and a password spraying attack?
Usually, in a brute-force attack the attacker will try a long list of passwords for a single username. In a password spraying attack, the attacker will consider a list of usernames and will use a short list of most common or probable passwords.
