The Authentication Tester is a tool that forms part of the Acunetix Manual Pen Testing Tools suite (available to download for free). The Authentication Tester allows you to test the strength of credentials used in HTTP authentication, as well as custom HTML form-based authentication by running an online dictionary attack.

You can start using the Authentication Tester by launching the Acunetix Tools application, and selecting the Authentication Tester from the Tools Explorer.

authentication tester

The top pane in the Authentication Tester is where you can configure the tool. The bottom pane shows valid usernames and passwords.

Testing HTTP Authentication

HTTP Authentication is part of the HTTP specification. If a site performs HTTP Authentication, then the browser will display a username and password pop-up dialog. With HTTP Authentication, the web server validates the logon against a database of users (with Microsoft IIS these are local Windows user accounts and with Apache HTTP Server these are stored in a file).

To start, enter the target URL (e.g. www.example.com/secret/) in the Target URL to test textbox, and select HTTP as the authentication method to be used for the attack.

Testing HTTP Authentication

The default dictionaries will be used. You can also specify your own Username and Password dictionaries by specifying the full path to a plain text file containing the list of usernames or passwords to attempt to login with. You can also specify different fail condition. Supported fail conditions include HTTP status code is, Result contains, Result match regular expression.

Click on the Start button to start the dictionary attack.

dictionary attack

Testing form-based authentication

The Authentication Tester can also be used to test HTML form-based authentication.

To test form-based authentication mechanisms, Select HTML form based in the Authentication Method drop-down, and then click on the Select... button.

Testing form-based authentication

In the Parse Web Forms from URL screen, the application will display all the available fields contained in the target page. Indicate the form field that represents the username, by clicking on the field and clicking on Username button. You have to also indicate the form field that represents the Password by clicking on the field, and clicking on the Password button at the bottom of the window.

Parse Web Forms from URL

The Authentication Tester must be instructed what constitutes a failed login page in order for it to realize the appropriate behavior upon successful login.

Using a web browser, attempt to log in to the page to generate a login error and note down the text that indicates a login failure. Set Logon has failed if to Result contains and copy the text that indicates a login failure in the input textbox.

Regular expressions can also be specified by choosing Result matches regular expression. Click the Start button to launch the dictionary attack against the web form.

Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm and take automated testing further.


Acunetix is an automated web application security scanner and vulnerability management platform. In addition, Acunetix also provides a suite of manual pentesting tools that allow users to quickly and easily confirm and take automated testing further.

SHARE THIS POST
THE AUTHOR
Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.