🚩
Cyber Explained
  • WHOAMI
  • Technologies
    • Docker
      • Setup Docker
      • Terminology
      • Docker Hub
      • Docker Images
      • Docker Containers
      • Working with Containers
      • Virtualization vs Containerization
      • Nutshell
      • Troubleshoot
    • Android Application
      • Application File Structure
      • Layout and Resources for UI
      • Activities
      • Intents
      • Activity lifecycle and state
      • Implicit intents
    • Active Directory
      • Attacking Active Directory: 0 to 0.9
      • Resources
    • Kerberos
  • RED TEAMING
    • Attacking Kerberos
      • User Enum and Brute Force
      • AS-REP Roasting
      • Kerberoasting
    • MITRE ATT&CK
    • Resources
  • PenTesting
    • Android Pentesting
      • Re-Build App
      • Using Frida on Android without root
    • Web Pentesting
      • XSS
      • SQLi
      • Authentication Vulnerabilities
      • Session Security
      • CSRF
      • Path Traversal
      • File Inclusion
      • Business Logic Vulnerabilities
      • HTTP Host header attacks
      • SSRF
      • HTTP Request Smuggling
      • OS command injection
      • Access control vulnerabilities
    • OWASP Testing Guide
      • 1.0 Information Gathering
      • 2.0 Configuration and Deployment Management Testing
      • 3.0 Identity Management Testing
      • 4.0 Authentication Testing
      • 5.0 Authorization Testing
      • 6.0 Session Management Testing
      • 7.0 Input Validation Testing
      • 8.0 Testing for Error Handling
      • 9.0 Testing for Weak Cryptography
      • 10.0 Business Logic Testing
      • 11.0 Client-side Testing
      • 12.0 API Testing
  • Programming
    • Python
      • Hello World !
        • Variables and Data Types
        • Lists, Tuple, Sets and Dictionaries
        • If Statement
        • While Loops
        • For Loops
        • Functions
        • Classes and Objects
        • Creating Modules
        • Creating Packages
        • Exception Handling
      • System Pogramming
        • File Handling
        • OS Interaction with OS Library
        • Multithreading
        • Signals
        • Subprocess
        • Code Examples
      • Network Programming
        • Socket Programming
        • Packet Injection with Raw Sockets
        • SocketServer Framework
        • Packet Sniffing with Scapy
        • Creating a Web Server
        • Packet Injection with Scapy
        • Packet Sniffing with Raw Sockets
        • Programming with Scapy
  • Operating Systems
    • Windows*
    • Linux
      • System Structure
      • VI Text Editor
      • Working with the Linux Shell
      • Managing Users and Groups
      • Managing Files and Directories
  • Networks
    • Page 1
Powered by GitBook
On this page
  1. PenTesting
  2. OWASP Testing Guide

3.0 Identity Management Testing

Previous2.0 Configuration and Deployment Management TestingNext4.0 Authentication Testing

Last updated 3 years ago

  • 3.1 Test Role Definitions

    • Roles Identification

      The tester should start by identifying the application roles being tested through any of the following methods:

      • Application documentation.

      • Guidance by the developers or administrators of the application.

      • Application comments.

      • Fuzz possible roles:

        • cookie variable (e.g. role=admin, isAdmin=True)

        • account variable (e.g. Role: manager)

        • hidden directories or files (e.g. /admin, /mod, /backups)

        • switching to well known users (e.g. admin, backups, etc.)

    • Switching to Available Roles

      After identifying possible attack vectors, the tester needs to test and validate that they can access the available roles.

      Some applications define the roles of the user on creation, through rigorous checks and policies, or by ensuring that the user’s role is properly protected through a signature created by the backend. Finding that roles exist doesn’t mean that they’re a vulnerability.

    • Review Roles Permissions

      After gaining access to the roles on the system, the tester must understand the permissions provided to each role.

      A support engineer shouldn’t be able to conduct administrative functionalities, manage the backups, or conduct any transactions in the place of a user.

      An administrator shouldn’t have full powers on the system. Sensitive admin functionality should leverage a maker-checker principle, or use MFA to ensure that the administrator is conducting the transaction. A clear example on this was the .

  • 3.2 Test User Registration Process

    Verify that the identity requirements for user registration are aligned with business and security requirements:

    1. Can anyone register for access?

    2. Are registrations vetted by a human prior to provisioning, or are they automatically granted if the criteria are met?

    3. Can the same person or identity register multiple times?

    4. Can users register for different roles or permissions?

    5. What proof of identity is required for a registration to be successful?

    6. Are registered identities verified?

    Validate the registration process:

    1. Can identity information be easily forged or faked?

    2. Can the exchange of identity information be manipulated during registration?

  • 3.3 Test Account Provisioning Process

    Determine which roles are able to provision users and what sort of accounts they can provision.

    • Is there any verification, vetting and authorization of provisioning requests?

    • Is there any verification, vetting and authorization of de-provisioning requests?

    • Can an administrator provision other administrators or just users?

    • Can an administrator or other user provision accounts with privileges greater than their own?

    • Can an administrator or user de-provision themselves?

    • How are the files or resources owned by the de-provisioned user managed? Are they deleted? Is access transferred?

  • 3.4 Testing for Account Enumeration and Guessable User Account

    • HTTP Response Message (different responses)

      • Testing for Valid Credentials

      • Testing for Valid User with Wrong Password

      • Testing for a Nonexistent Username

    • Other Ways to Enumerate Users

      • Analyzing the Error Code Received on Login Pages

      • Analyzing URLs and URLs Re-directions

        http://www.foo.com/err.jsp?User=baduser&Error=0

        http://www.foo.com/err.jsp?User=gooduser&Error=2

      • URI Probing

        403 Forbidden error code 404 Not found error code

      • Analyzing Web Page Titles

        Invalid user

        Invalid authentication

      • Analyzing a Message Received from a Recovery Facility

        Invalid username: email address is not valid or the specified user was not found.

        Valid username: Your password has been successfully sent to the email address you registered with.

      • Friendly 404 Error Message

      • Analyzing Response Times

      • Guessing Users

  • 3.5 Testing for Weak or Unenforced Username Policy

    • Determine the structure of account names.

    • Evaluate the application’s response to valid and invalid account names.

    • Use different responses to valid and invalid account names to enumerate valid account names.

    • Use account name dictionaries to enumerate valid account names.

Twitter incident in 2020