Skip to content

weak-password-authentication.md

Latest commit

 

History

History
109 lines (69 loc) · 2.65 KB

weak-password-authentication.md

File metadata and controls

109 lines (69 loc) · 2.65 KB

Weak Password Authentication Vulnerability Report

1. Overview

This report documents a Weak Password Authentication vulnerability identified during security testing of DVWA.

Testing Type: Manual Penetration Testing
Environment: Local Lab
Security Level Tested: Low

2. Vulnerability Details

  • Vulnerability Name: Weak Password Authentication
  • Category: OWASP Top 10 – Identification and Authentication Failures
  • Severity: High
  • Exploitable: Yes

3. Description

The application allows users to authenticate using very weak passwords without enforcing any password complexity requirements.

There is no minimum length, no character complexity requirement, and no validation against common or weak passwords.

This significantly increases the risk of unauthorized access.

4. Impact Analysis

If deployed in a real-world production environment, this vulnerability could lead to:

  • Unauthorized access to user accounts
  • Increased risk of brute-force attacks
  • Credential stuffing attacks
  • Compromise of sensitive application data
  • Privilege escalation if admin credentials are weak

This demonstrates the absence of basic authentication security controls.

5. Proof of Concept (PoC)

Steps to Reproduce:

  1. Open DVWA in browser.
  2. Login using default credentials:
    • Username: admin
    • Password: password
  3. Navigate to "DVWA Security".
  4. Set Security Level to Low.
  5. Logout from the application.
  6. Attempt login using weak credentials:
    • Username: admin
    • Password: 12345
  7. Login is successful.

Observed Result:

The application successfully authenticates using a weak and commonly used password.

Weak Password PoC

6. Root Cause

  • No password complexity enforcement
  • No minimum password length requirement
  • No password strength validation
  • No monitoring for weak credentials

7. Risk Classification

Severity Level: High

Reason: Weak passwords significantly increase the probability of successful brute force and credential-based attacks.

8. Remediation & Prevention

To mitigate this vulnerability:

  • Enforce strong password policies
  • Require minimum length (at least 8–12 characters)
  • Enforce complexity (uppercase, lowercase, numbers, special characters)
  • Implement account lockout after multiple failed attempts
  • Enable Multi-Factor Authentication (MFA)
  • Educate users on secure password practices

9. Conclusion

The authentication mechanism lacks fundamental security controls related to password strength enforcement.

Proper implementation of password policies and monitoring mechanisms is critical to prevent unauthorized access.

End of Report