Post

PortSwigger - Authentication - Find and Exploit

Posted Updated
Preview Image
By Jaco Zwarts 2 min read

How to find and exploit authentication vulnerability

Weak Password Complexity Requirements:

  • Review the website for any description of the rules.
  • If self registration is possible, attempt to register several accounts with different kinds of weak passwords to discover what rules are in place:
    • Very short or blank.
    • Common dictionary words or names.
    • Password is the same as the username.
  • If you control a single account and password change is possible, attempt to change the password to various weak values.

Improper Restriction of Authentication Attempts:

  • Manually submit several bad login attempts for an account control.
  • After 10 failed login attempts, if the application does not return a message about account lockout, attempt to log in correctly. If it works, then there is no lockout mechanism.
    • Run a brute force attack to enumerate the valid password.
      • Use tools like Hydra, Burp Intruder.
    • If the account is locked out, monitor the requests and responses to determine if the lockout mechanism is insecure.

Verbose Error Message:

  • Submit a request with a valid username and an invalid password.
  • Submit a request with an invalid username.
  • Review both responses for any differences in the status code, any redirects, information displayed on the screen, HTML page source, or even the time to process the request.
  • If there is a difference, run a brute force attack to enumerate the list of valid usernames in the application.

Vulnerable Transmission of Credentials:

  • Perform a successful login while monitoring all traffic in both directions between the client and server.
  • Look for instances where credentials are submitted in a URL query string or a cookie, or are transmitted back from the server to the client.
  • Attempt to access the application over HTTP and if there are any redirects to HTTPS.

Insecure Forgot Password Functionality:

  • Identify if the application has any forgotten password functionality
  • If it does, perform a complete walk-through of the forgot password functionality using an account you have control of while intercepting the requests / responses in a proxy.
  • Review the functionality to determine if it allows for username enumeration or brute-force attacks.
  • If the application generates an email containing a recovery URL, obtain a number of these URLs and attempt to identify any predictable patterns or sensitive information included in the URL. Also check if the URL is long lived and does not expire.

Defects in Multistage login Mechanism:

  • Identify if the application uses a multistage login mechanism.
  • If it does, perform a complete walk-through using an account you have control of while intercepting the requests / responses in a proxy.
  • Review the functionality to determine if the allows for username enumeration or brute-force attacks.

Insecure Storage of Credentials

  • Review all the application’s authentication related functionality. If you find any instances where the user’s password is transmitted to the client plaintext or obfuscated, this indicates the passwords are being stored insecurely.
  • If you gain remote code execution (RCE) on the server, review the database to determine if the passwords are stored insecurely.
  • Conduct technical interviews with the developers to review how passwords are stored in the backend database.

Reference:

Rana Khalil - Authentication Vulnerabilities Complete Guide Theory Video Slides

PortSwigger
authentication bscp
This post is licensed under CC BY 4.0 by the author.