Approach towards testing a login page, reset password/verify email

Following test cases can be applied on the Login page:

• Bruteforce the login using cluster bomb attack. (both username / password)

• Use known credentials / Default credentials (admin/admin/password/admin@123/p@@sw0rd etc)

• Use response manipulation to change response codes ex: 403 to 200 or 403 to 301 / response body / response parameters ex: success:false to success:true)

• Use forced browsing ex: visit the urls accessible after authentication, /dashboard, /profile etc

• Use SQLi to bypass the authentication

 Following test cases can be applied on the password reset page:

• Check if the password reset endpoint has rate limit enabled

• Check if the password reset link is predictable

• Use burp intruder to send multiple password reset links by giving a max thread value

• Change the username or email parameter value in the request of password reset/verify email to victim’s email / password

• Replace the link of password reset/verify email sent on victim with that of attacker