How do you attack a login page?

Test Cases:

Here are the following ways in which we can attack a login page:

1. Source Code and Wappalyzer - Using source code, it might be possible to figure out what is the Content Management System(CMS) or the technology stack, any version disclosure in the source code or wappalyzer could lead us to open source exploits. Source code might also have sensitive information like credentials which might have been left by the developer.

2. Clickjacking - We can create a spoof of a page and trick a user into entering their credentials. This will make a victim think that it’s a valid website but it’s actually a spoofed website in which they are entering their credentials.

3. Default Credentials - Once a service has been identified, we can also try for default credentials as credentials of service accounts such as router login, ERP admin dashboard, CMS dashboard, embedded web service(EWS), etc. 

4. SQL Injection - Due to improper input sanitization, a user can input malicious SQL queries which will be executed giving us access to sensitive information.

5. Brute Force Attack - In this case, by guessing username or email, we can bruteforce i.e. trial and error method of trying lists of multiple usernames and passwords. In case of correct credentials, we get a different response body and response length which helps us find the correct credentials.

6. Response Manipulation - In this case, we observe the response of the login request. In case the parameters of response are guessable, we can alter the response of login and manipulate the parameters through which we can get access to the account.

7. Captcha Bypass - In case of Captcha, we will capture the request of login, and alter the captcha parameters in the request and observe the response. If the login is successful after manipulating the captcha parameters, it means we can bypass Captcha.

8. 2FA Bypass - In case of 2FA, we want to bypass the OTP or the pincode page, we observe the request and response of login with 2FA, In case the response parameters are guessable, we can manipulate the response to see if we can bypass it. In case response parameters are not guessable, we can brute force the OTP’s or the Pincode. The correct pin would result in a different response body and response length.

9. Long Password DOS attack - In this case, we enter a password of more than 10000 characters. If the response time of the web application is getting longer as we increase the password length, then it is vulnerable.

10. Forced Browsing - This technique is used to access unauthorized parts of a website by manipulating the URL. This vulnerability is mostly associated with directory listing or files, but it also applies to login pages.