Account Takeover Methodology
Application Level DoS
Authentication Bypass
Broken-Link Hijacking
Broken Auth And Session Management
Finding CVEs
Web Page Source Code Review
EXIF Geo Data Not Stripped
File Upload Bypass
Find Origin IP
GraphQL
HTTP Desync Attack
Host-Header Attack
HTML-Injection
IDOR
JWT ATTACK
OAuth
SSTI
Sign Up Functionality
Tabnabbing
Weak Password Policy
Weak Password Policy
A weak password policy increases the probability of an attacker having success using brute force and dictionary attacks against user accounts. An attacker who can determine user passwords can take over a user's account and potentially access sensitive data in the application.
There are two ways in which this can be checked

First Way

  • Check if you can use Password same as that of Email Address
  • Check if you can use Username same as that of Email Address
  • Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings

Second Way

  • Check if you can use Password some Weak Passwords such as 123456, 111111 , abcabc , qwerty123
  • Try above mentioned when Resetting Password , Creating Account , Changing Password from Account Settings
  • Applications usually have Restrictions on Password while Creating Account, Make sure you check for both the cases when Resetting Password

References