Broken Authentication

Tue, 15 Mar 2022 12:00:00 -0400

Authentication is the process of verifying the identity of a given user or client. In other words, it involves making sure that they really are who they claim to be, there are three authentication factors:

Something you know, such as password or security question, known as “knowledge factors”
Something you have, a physical object like a mobile phone or security token, known as “possession factors”
Something you are, for example biometrics or patterns of behavior, known as “inherence factors”

What is the difference between authentication and authorization? Authentication is the process of verifying that a user is who they claim to be, whereas authorization involves verifying whether a user is allowed to do something

Broken Authentication Labs

Tue, 15 Mar 2022 12:00:00 -0400

Username enumeration via different responses

With Burp running, investigate the login page and submit an invalid username and password.
In Burp, go to Proxy > HTTP history and find the POST /login request. Send this to Burp Intruder.
In Burp Intruder, go to the Positions tab. Make sure that the Sniper attack type is selected.
Click Clear § to remove any automatically assigned payload positions. Highlight the value of the username parameter and click Add § to set it as a payload position. This position will be indicated by two § symbols, for example: username=§invalid-username§. Leave the password as any static value for now.
On the Payloads tab, make sure that the Simple list payload type is selected.
Under Payload options, paste the list of candidate usernames. Finally, click Start attack. The attack will start in a new window.
When the attack is finished, on the Results tab, examine the Length column. You can click on the column header to sort the results. Notice that one of the entries is longer than the others. Compare the response to this payload with the other responses. Notice that other responses contain the message Invalid username, but this response says Incorrect password. Make a note of the username in the Payload column.
Close the attack and go back to the Positions tab. Click Clear, then change the username parameter to the username you just identified. Add a payload position to the password parameter. The result should look something like this: username=identified-user&password=§invalid-password§
On the Payloads tab, clear the list of usernames and replace it with the list of candidate passwords. Click Start attack.
When the attack is finished, look at the Status column. Notice that each request received a response with a 200 status code except for one, which got a 302 response. This suggests that the login attempt was successful - make a note of the password in the Payload column.
Log in using the username and password that you identified and access the user account page to solve the lab.

Username enumeration via subtly different responses

With Burp running, submit an invalid username and password. Send the POST /login request to Burp Intruder and add a payload position to the username parameter.
On the Payloads tab, make sure that the Simple list payload type is selected and add the list of candidate usernames.
On the Options tab, under Grep - Extract, click Add. In the dialog that appears, scroll down through the response until you find the error message Invalid username or password.. Use the mouse to highlight the text content of the message. The other settings will be automatically adjusted. Click OK and then start the attack.
When the attack is finished, notice that there is an additional column containing the error message you extracted. Sort the results using this column to notice that one of them is subtly different.
Look closer at this response and notice that it contains a typo in the error message instead of a full stop/period, there is a trailing space. Make a note of this username.
Close the attack and go back to the Positions tab. Insert the username you just identified and add a payload position to the password parameter: username=identified-user&password=§invalid-password§
On the Payloads tab, clear the list of usernames and replace it with the list of passwords. Start the attack.
When the attack is finished, notice that one of the requests received a 302 response. Make a note of this password.
Log in using the username and password that you identified and access the user account page to solve the lab.

Username enumeration via response timing

With Burp running, submit an invalid username and password, then send the POST /login request to Burp Repeater. Experiment with different usernames and passwords. Notice that your IP will be blocked if you make too many invalid login attempts.
Identify that the X-Forwarded-For header is supported, which allows you to spoof your IP address and bypass the IP-based brute-force protection.
Continue experimenting with usernames and passwords. Pay particular attention to the response times. Notice that when the username is invalid, the response time is roughly the same. However, when you enter a valid username (your own), the response time is increased depending on the length of the password you entered.
Send this request to Burp Intruder and select the attack type to Pitchfork. Clear the default payload positions and add the X-Forwarded-For header.
Add payload positions for the X-Forwarded-For header and the username parameter. Set the password to a very long string of characters (about 100 characters should do it).
On the Payloads tab, select payload set 1. Select the Numbers payload type. Enter the range 1 - 100 and set the step to 1. Set the max fraction digits to 0. This will be used to spoof your IP.
Select payload set 2 and add the list of usernames. Start the attack.
When the attack finishes, at the top of the dialog, click Columns and select the Response received and Response completed options. These two columns are now displayed in the results table.
Notice that one of the response times was significantly longer than the others. Repeat this request a few times to make sure it consistently takes longer, then make a note of this username.
Create a new Burp Intruder attack for the same request. Add the X-Forwarded-For header again and add a payload position to it. Insert the username that you just identified and add a payload position to the password parameter.
On the Payloads tab, add the list of numbers in payload set 1 and add the list of passwords to payload set 2. Start the attack.
When the attack is finished, find the response with a 302 status. Make a note of this password.
Log in using the username and password that you identified and access the user account page to solve the lab.

Broken brute-force protection, IP block

With Burp running, investigate the login page. Observe that your IP is temporarily blocked if you submit 3 incorrect logins in a row. However, notice that you can reset the counter for the number of failed login attempts by logging in to your own account before this limit is reached.
Enter an invalid username and password, then send the POST /login request to Burp Intruder. Create a pitchfork attack with payload positions in both the username and password parameters.
On the Resource pool tab, add the attack to a resource pool with Maximum concurrent requests set to 1. By only sending one request at a time, you can ensure that your login attempts are sent to the server in the correct order.
On the Payloads tab, select payload set 1. Add a list of payloads that alternates between your username and carlos. Make sure that your username is first and that carlos is repeated at least 100 times.
Edit the list of candidate passwords and add your own password before each one. Make sure that your password is aligned with your username in the other list.
Add this list to payload set 2 and start the attack.
When the attack finishes, filter the results to hide responses with a 200 status code. Sort the remaining results by username. There should only be a single 302 response for requests with the username carlos. Make a note of the password from the Payload 2 column.
Log in to Carlos’s account using the password that you identified and access his account page to solve the lab.

Username enumeration via account lock

With Burp running, investigate the login page and submit an invalid username and password. Send the POST /login request to Burp Intruder.

Auth on s4yhii's blog