ATHN-02 Testing for Default Credentials

[ThunderSon]

What's the issue? Overwritten test scenario, can be summarized and link to payload lists from other repos

How do we solve it? Chop down the content to the required and needed information, link to payload lists instead of enumerating all possible usernames and passwords, provide further guidance on how to test.

If no one is up to handle it, I can take care of it

[ghost]

I will take a pass at revising the writing for brevity and clarity.

[ThunderSon]

Lovely! Thanks for taking this on!

[ThunderSon]

Following on #650 's discussion, and after reviewing the IDNT and ATHN scenarios, this should be merged into ATHN-04. It can be a section in enumerating users or credentials, tackling default accounts that were not removed.

Does this feel doable @efx ?

[ghost]

@ThunderSon 👋 would this be taking the content of ATHN-02 as of (bd0106c5fca40f0d32cc7c7430e22a65006a1af2) and adding it to the appropriate part of ATHN-04?

[ThunderSon]

Feel free to change the content however you see fit to be part of that scenario.

[ghost]

@ThunderSon thanks for the update. Due to other commitments and my lack of understanding I will not be finishing this. Can you remove me from being the assignee when you are free? Many thanks!

[kingthorin]

No problem, thanks for your help.

[mariuskimmina]

Hey,

I would be interested in giving this a shot. If possible, could one of you take a look at my work on https://github.com/OWASP/wstg/pull/714 and confirm that I am on the right path there? (If not I would focus on getting that right first, if yes I would like to take this issue)

[kingthorin]

Hey @Mindslave, thanks for reaching out. We are still in a bit of a slow mode following the winter holidays. I'll try to have a look at your other PR in the next few days.

[ThunderSon]

@Mindslave would love to see your PR on merging these as well. Looking forward :)

[mariuskimmina]

So I have started to look into this, but I am not yet certain about the right place for this. You suggested ATHN-04 before but you linked to IDNT-04. I think IDNT-04 is what you really meant there, and while I agree that this probably belongs in the Identity Management section, it doesn't really feel right as part of "Testing for Account Enumeration and Guessable User Account", because this section really focuses on usernames and not passwords.
Maybe it should stay a section of it's own but inside the "Identitiy Managment" rather than "Authentication Testing"?

[ThunderSon]

I believe I am more inclined to say I am talking ATHN-04. You can't know about these users without testing them through for example forgot password functionality, registration, login, or even IDORs. I see what you mean. It's IDNT-04 vs AUTH-02. Apologies on that.

The identity management section is a bit tricky, I even consider most of the points as parts of other test families. Bypassing login for example is bypassing business logic, or mis-configuration based attacks for missing controls. That's a bigger discussion though.

@kingthorin What's your take on where this should reside? I really see this as simply having a list of known users and passwords and just spraying them, doesn't really need a lot of discussion to span across two tests. I'll widen my view a bit and try to refresh my point of view on this.

Edit: I believe my target is to make this as easily digestible as possible, without too much ranting and filling in pages. If this can be accomplished by still keeping it into two separate tests, I guess that can fly. I'd even recommend to actually transform the test to "Testing for User Enumeration", in IDNT-04, if we decide to keep them as two tests. Guessable accounts are just part of it, no need to be part of the title.

[github-actions[bot]]

Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.

[mariuskimmina]

Hi, until early July I really can't make this a priority, if anyone else wants to do it before, please feel free. If no one wants to do it I'm hopefully coming back to this in early July.

[kingthorin]

No problem, thanks for letting us know. 👍