V2 - Authentication
Password Cracking for Common/Weak Passwords when Password Policy is Weak
POC
- If there is no rate-limiting in place for login pages, send the login request to Burp Intruder
- For an existing username, put common password wordlists for password input area
- Observe if any weak/common credential work for the existing user’s password
Impact
High
Likelihood
Medium (if password policy is complex)