testing weak lock out mechanism
88 views
Skip to first unread message
fariba.h...@gmail.com
Mar 6, 2019, 3:17:32 AM3/6/19
to OWASP ZAP User Group
hello
I want Testing for Weak lock out mechanism
which one tools for testing that?
Simon Bennetts
Mar 6, 2019, 4:07:58 AM3/6/19
to OWASP ZAP User Group
The break tool, maybe the manual request editor and fuzzer? But mostly your brain :)
Basically this is something that cant really be automated - you need to test for this manually using the above manual tools.
Understand how the lock out mechanism really works and then think about how that could be abused.
The OWASP Testing Guide will help here: https://www.owasp.org/index.php/Testing_for_Weak_lock_out_mechanism_(OTG-AUTHN-003)
hauschu...@gmail.com
Mar 6, 2019, 4:11:37 AM3/6/19
to OWASP ZAP User Group
What context is this authentication taking place? (and lock out mechanism)
If it is a web application (like logging in to amazon, etc), then ZAP is a great tool!
But if you are talking about a lock-out mechanism in place for a personal computer, Windows AD group, phone with Face-ID etc, you'll need something tailored to those scenarios.
Either way, this is still a good place to start because the underlying strategy/method has a lot in common even if the tools/technology is different:
fariba hosseini25
Mar 6, 2019, 4:59:03 AM3/6/19
to zaprox...@googlegroups.com
it is a web application and how to test with zap tool?
please help me step by step
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a45b3f2b-0c21-49b8-9045-3be5ffe81ac4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Simon Bennetts
Mar 6, 2019, 5:05:37 AM3/6/19
to OWASP ZAP User Group
Thats not what we're here for I'm afraid.
This is your journey, and you're going to need to put some work in.
We can help with specifics but it doesnt sound like you're ready for them yet.
Read the OWASP Testing Guide link we both included, thats the best place for you to start.
On Wednesday, 6 March 2019 09:59:03 UTC, fariba hosseini25 wrote:
it is a web application and how to test with zap tool?please help me step by step
On Wed, Mar 6, 2019 at 12:41 PM <hauschu...@gmail.com> wrote:
What context is this authentication taking place? (and lock out mechanism)--If it is a web application (like logging in to amazon, etc), then ZAP is a great tool!But if you are talking about a lock-out mechanism in place for a personal computer, Windows AD group, phone with Face-ID etc, you'll need something tailored to those scenarios.Either way, this is still a good place to start because the underlying strategy/method has a lot in common even if the tools/technology is different:
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
fariba hosseini25
Mar 6, 2019, 6:26:28 AM3/6/19
to zaprox...@googlegroups.com
i can test the web application but sometimes i confront the problems.
in the website the tools not introduced for this test
On Wed, Mar 6, 2019 at 1:35 PM Simon Bennetts <psi...@gmail.com> wrote:
Thats not what we're here for I'm afraid.This is your journey, and you're going to need to put some work in.We can help with specifics but it doesnt sound like you're ready for them yet.Read the OWASP Testing Guide link we both included, thats the best place for you to start.
On Wednesday, 6 March 2019 09:59:03 UTC, fariba hosseini25 wrote:
it is a web application and how to test with zap tool?please help me step by step
On Wed, Mar 6, 2019 at 12:41 PM <hauschu...@gmail.com> wrote:
What context is this authentication taking place? (and lock out mechanism)--If it is a web application (like logging in to amazon, etc), then ZAP is a great tool!But if you are talking about a lock-out mechanism in place for a personal computer, Windows AD group, phone with Face-ID etc, you'll need something tailored to those scenarios.Either way, this is still a good place to start because the underlying strategy/method has a lot in common even if the tools/technology is different:
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a45b3f2b-0c21-49b8-9045-3be5ffe81ac4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/abad931d-082d-4942-a732-0d2944ed22dd%40googlegroups.com.
Simon Bennetts
Mar 6, 2019, 6:28:33 AM3/6/19
to OWASP ZAP User Group
You're going to have to give us a lot more details about these problems if you'd like us to help you with them.
We are not telepathic :P
On Wednesday, 6 March 2019 11:26:28 UTC, fariba hosseini25 wrote:
i can test the web application but sometimes i confront the problems.in the website the tools not introduced for this test
On Wed, Mar 6, 2019 at 1:35 PM Simon Bennetts <psi...@gmail.com> wrote:
Thats not what we're here for I'm afraid.This is your journey, and you're going to need to put some work in.We can help with specifics but it doesnt sound like you're ready for them yet.Read the OWASP Testing Guide link we both included, thats the best place for you to start.
On Wednesday, 6 March 2019 09:59:03 UTC, fariba hosseini25 wrote:
it is a web application and how to test with zap tool?please help me step by step
On Wed, Mar 6, 2019 at 12:41 PM <hauschu...@gmail.com> wrote:
What context is this authentication taking place? (and lock out mechanism)--If it is a web application (like logging in to amazon, etc), then ZAP is a great tool!But if you are talking about a lock-out mechanism in place for a personal computer, Windows AD group, phone with Face-ID etc, you'll need something tailored to those scenarios.Either way, this is still a good place to start because the underlying strategy/method has a lot in common even if the tools/technology is different:
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a45b3f2b-0c21-49b8-9045-3be5ffe81ac4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
hauschu...@gmail.com
Mar 6, 2019, 6:31:09 AM3/6/19
to OWASP ZAP User Group
That's true, there are always some problems!
But Simon is saying the main tool to handle this problem is our own brain, and if you read the link we included and understand what it is trying to do, then you can use any tool you have to perform the test...even by clicking around with a simple web browser!
Why are you testing for Weak Lock Out? Where are your requirements coming from? What is your work flow?
fariba hosseini25
Mar 6, 2019, 6:33:22 AM3/6/19
to zaprox...@googlegroups.com
ok.thanks
On Wed, Mar 6, 2019 at 2:58 PM Simon Bennetts <psi...@gmail.com> wrote:
You're going to have to give us a lot more details about these problems if you'd like us to help you with them.We are not telepathic :P
On Wednesday, 6 March 2019 11:26:28 UTC, fariba hosseini25 wrote:
i can test the web application but sometimes i confront the problems.in the website the tools not introduced for this test
On Wed, Mar 6, 2019 at 1:35 PM Simon Bennetts <psi...@gmail.com> wrote:
Thats not what we're here for I'm afraid.This is your journey, and you're going to need to put some work in.We can help with specifics but it doesnt sound like you're ready for them yet.Read the OWASP Testing Guide link we both included, thats the best place for you to start.
On Wednesday, 6 March 2019 09:59:03 UTC, fariba hosseini25 wrote:
it is a web application and how to test with zap tool?please help me step by step
On Wed, Mar 6, 2019 at 12:41 PM <hauschu...@gmail.com> wrote:
What context is this authentication taking place? (and lock out mechanism)--If it is a web application (like logging in to amazon, etc), then ZAP is a great tool!But if you are talking about a lock-out mechanism in place for a personal computer, Windows AD group, phone with Face-ID etc, you'll need something tailored to those scenarios.Either way, this is still a good place to start because the underlying strategy/method has a lot in common even if the tools/technology is different:
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/a45b3f2b-0c21-49b8-9045-3be5ffe81ac4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/abad931d-082d-4942-a732-0d2944ed22dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/d5e11018-ffe2-45b2-ad7e-b501372e0170%40googlegroups.com.
fariba hosseini25
Mar 6, 2019, 6:42:09 AM3/6/19
to zaprox...@googlegroups.com
i am IT engineer and my My manager wants to test his web application.
ok thank you for your guide
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/11208a27-48ec-4b83-9cfb-706b4c716789%40googlegroups.com.
Simon Bennetts
Mar 6, 2019, 7:04:03 AM3/6/19
to OWASP ZAP User Group
Make sure that your manager understands that security testing is non trivial and that you are just starting on your journey :)
But we all had to start somewhere - good luck!
On Wednesday, 6 March 2019 11:42:09 UTC, fariba hosseini25 wrote:
i am IT engineer and my My manager wants to test his web application.ok thank you for your guide
On Wed, Mar 6, 2019 at 3:01 PM <hauschu...@gmail.com> wrote:
That's true, there are always some problems!--But Simon is saying the main tool to handle this problem is our own brain, and if you read the link we included and understand what it is trying to do, then you can use any tool you have to perform the test...even by clicking around with a simple web browser!Why are you testing for Weak Lock Out? Where are your requirements coming from? What is your work flow?
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-users+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages