Web application security - the fast guide 1.1 | Page 117

Chapter 6 - Attack execution (2)
P a g e | 117
Figure 46: comparing requests with Burp
E. Use an automation tool to iteratively try different user names and
password. (Burp is an example)
F. Monitor results and collect broken account information.
G. Different messages can be a very good pointer that you did a bad guess
the user name only or both credentials.
6.4 Password management exploit
In many situation developers do not focus on protecting privileged pages
from privileged users so the mistakes that are covered in main login page
reappear in the change password, forget password or remember me
option.
Mistakes like allowing unlimited number of false login, providing different
message depending on bad or valid password and checking the validity of
password before matching with new password.