
The purpose of this challenge is to demonstrate password guessing attacks. are made possible by MITRE Top 25 programming flaws such as:.


The developers of the application have created an administration account to manage different configurations of the application. For convenience the password was hard-coded in the JSP file. The password for the admin user also happens to be an insecure password. One of the top 10 most insecure passwords.







    The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.

From MITRE CWE307 - Improper Restriction of Excessive Authentication Attempts


The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.


  如果應用程式未實作適當的阻擋機制防止hacker無限制次數的猜測使用者密碼,就有可能被使用者破解使用者帳密成功,同時使用者不應該使用最常見的簡單密碼,以下是top 10 常見被猜測成功密碼:


  1. 進入網頁: https://abc.xxx.elasticbeanstalk.com/cwe307
  2. 用TOP 10常見被破解密碼猜測密碼,直到成功為止。(iloveyou)







    jackterrylau 發表在 痞客邦 留言(0) 人氣()