Authentication Tester Tool

The Authentication Tester tool in Acunetix WVS is used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack.

Testing HTTP Authentication


HTTP authentication is part of the HTTP specification. If a site performs HTTP authentication, then the browser will display a username and password pop-up dialog. With HTTP authentication, the web server validates the logon against a database of users (with IIS these are local Windows user accounts and with Apache these are stored in a file).

Testing the Username and Password Strength for HTTP Authentication

1. the target URL e.g. www.test.com/login/ in the ‘Target URL to test’ edit box and select ‘HTTP’ as the authentication method to be used for the attack.

2. The default dictionaries will be used.  You can also specify your own Username and Password dictionaries by specifying the full path to a plain text file containing the list of usernames or passwords to attempt to login with.  Click ‘Start’ to start the Authentication tester.

Note:

By default the Authentication tester will classify a failed logon if the server returns a HTTP response value of 401.  However, if custom failed login page is used, a matching string or regular expression must be specified in the ‘Logon has failed if’ field.

Testing form based authentication

A login sequence that uses web forms authentication asks for the username and password via a web form, which is then validated on the server via a custom script, rather than by the web server itself.

Testing Username and Password Strength for web forms

1. From the Tools Explorer, select the ‘Authentication Tester’ node and in the ‘Target URL to test’ edit box and specify the target URL e.g. www.test.com/login/

2. Select ‘HTML form based’ as the authentication method to be used for the attack and click on ‘Select user/password form fields to use’.

3. In the ‘Parse Web Forms from URL’ screen, the application will display all the available fields contained in the target page, as shown in the screen shot above.  Indicate the form field that represents the username, by clicking on the field and clicking on ‘Username’ button.  You have to also indicate the form field that represents the Password by clicking on the field, and clicking on the ‘Password’ button at the bottom of the window.

4. Acunetix WVS must be instructed what constitutes a failed login page so the application realizes the appropriate behavior upon successful login.  Using a web browser, attempt to log in to the page to generate a login error and note down the text that indicates a login failure.  Set ‘Logon has failed if’ to ‘Result contains’ and copy the text that indicates a login failure in the input text box.  Regular expressions can also be specified by choosing ‘Result matches regular expression’. Click ‘Start’ to launch the dictionary attack against the web form.

Note:

If there are multiple forms on the page, they will be parsed and shown in this dialog.  Select the form which contains the relevant authentication fields.

  • Hi! I’m just having trouble getting the “Authentication Tester” work correctly. The app I’m testing is web form based, so I set that way. I input the correct URL, go to select user/password fields, I give the correct path to both user and password dictionaries. The tricky part for me is the configuration of the “Logon has failed if” and how to complete next.
    I know that, as it is web form based, the “HTTP status code” doesn’t apply, one option discarded. Then, I have 2 options left:
    a) Result contains.
    b) Result match regular expression.

    How exactly are they used?

    Using option ‘a’, with this custom phrase in spanish that my app gives with a failed logon “El nombre de usuario y la contraseña no coinciden”, tries 2 accounts and the window about false positives appears, cancelling the process.

    Using option ‘b’, with this custom phrase in spanish that my app gives with a failed logon “El nombre de usuario y la contraseña no coinciden”, it show some progress but doesn’t find any valid combination (but I’m positive there are a few valid combinations I test myself!).

    I hope I was able to explain myself and you could help me a little bit.

    By the way, is there any Acunetix official forum? I searched but I couldn’t reach any.

    Thanks!

    Fine.

    • Hi finerookie,

      It seems you are using the Acunetix Authentication Tester correctly though cannot tell you exactly what the issue might be unless we have access to the website ourselves and check out the configuration. In this case I would recommend you to contact our support on support@acunetix.com and they will assist you.

      As regards the forum, we do not have an Acunetix WVS official forum.

  • hi
    i have the same problem as finerookie does
    the webpage that im trying to test is in arabic and when i try to write or copy/paste the error message into the “Logon has failed if” box all i see is this: “???? ??????????? ??? ”
    what can i do about that?

  • Finerookie’s issue sounds familiar. If the auth tester makes 2 attempts resulting in the same error it stops saying it Cannon distinguish failed or succeeded attempts. Please add more detailed info on how to configure this correctly.
    Best regards to you.

  • Leave a Reply

    Your email address will not be published.


    *