Auth basics and exercise on username enumeration via different responses

BurpSuite/ PortsWigger Academy Learnings

Kahhow
3 min readApr 4, 2024
Brute forcing some passwords on burpsuite for a given list of usernames

Types of Auth

  1. Knowledge factor — password, user names you know, probably the easiest to simulate and weakest
  2. Possession factor — a physical object like mobile phone or token or what we usually see the “second factor authentication (2FA)
  3. Inherence factors — personally I find the most convenient of them all, biometrics or patterns or behavior. Face ID, touch ID probably are common examples

Authentication vs Authorization

This was a week that involve a lot of thoughts about role-based access controls (RBAC). In education and healthcare, there are a bunch of examples of overspeced user roles and controls and it is common for non-technically trained project managers to imagine any and every position-at-present to have a corresponding access control digitally.

While the mapping is familiar and ‘intuitive’, typically it makes for overly cluttered and complicated access controls for software.

For instance, intern v teacher v trainee teacher v head of department v assistant head of department — while semantically yes they do different things, they do not…

--

--

Kahhow

Educator interested in data science, dance and full stack development