The Authentication Tester tool in Acunetix WVS is used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack.
Testing HTTP Authentication
HTTP authentication is part of the HTTP specification. If a site performs HTTP authentication, then the browser will display a username and password pop-up dialog. With HTTP authentication, the web server validates the logon against a database of users (with IIS these are local Windows user accounts and with Apache these are stored in a file).
Testing the Username and Password Strength for HTTP Authentication
1. the target URL e.g. www.test.com/login/ in the ‘Target URL to test’ edit box and select ‘HTTP’ as the authentication method to be used for the attack.
2. The default dictionaries will be used. You can also specify your own Username and Password dictionaries by specifying the full path to a plain text file containing the list of usernames or passwords to attempt to login with. Click ‘Start’ to start the Authentication tester.
Note: By default the Authentication tester will classify a failed logon if the server returns a HTTP response value of 401. However, if custom failed login page is used, a matching string or regular expression must be specified in the ‘Logon has failed if’ field.
Testing form based authentication
A login sequence that uses web forms authentication asks for the username and password via a web form, which is then validated on the server via a custom script, rather than by the web server itself.
Testing Username and Password Strength for web forms
1. From the Tools Explorer, select the ‘Authentication Tester’ node and in the ‘Target URL to test’ edit box and specify the target URL e.g. www.test.com/login/
2. Select ‘HTML form based’ as the authentication method to be used for the attack and click on ‘Select user/password form fields to use’.
3. In the ‘Parse Web Forms from URL’ screen, the application will display all the available fields contained in the target page, as shown in the screen shot above. Indicate the form field that represents the username, by clicking on the field and clicking on ‘Username’ button. You have to also indicate the form field that represents the Password by clicking on the field, and clicking on the ‘Password’ button at the bottom of the window.
4. Acunetix WVS must be instructed what constitutes a failed login page so the application realizes the appropriate behavior upon successful login. Using a web browser, attempt to log in to the page to generate a login error and note down the text that indicates a login failure. Set ‘Logon has failed if’ to ‘Result contains’ and copy the text that indicates a login failure in the input text box. Regular expressions can also be specified by choosing ‘Result matches regular expression’. Click ‘Start’ to launch the dictionary attack against the web form.
Note: If there are multiple forms on the page, they will be parsed and shown in this dialog. Select the form which contains the relevant authentication fields.