AUTHENTICATION BYPASS

Authentication Bypassing is the act of getting past methods of authentication to access content that otherwise would not be available. This can be done in a variety of ways, including brute forcing passwords, flaws in logic and cookie tampering.


Username enumeration is a useful first step when trying to find vulnerabilities with authentication. Manually entering usernames on a sign in form can be great way to find out the limitations for usernames (eg. no capital letters or numbers) and if usernames have already been created. 

Tools such as ffuf can be used to enumerate for usernames using a wordlist of common usernames as per the example below.



Brute Force is an automated process of using commonly used words against known username(s). From the enumeration stage, I have multiple valid usernames and I will use fuff and a list of common passwords to try and brute force a log in.



Logic Flaw is when the typical path of a website can be bypassed, circumvented or manipulated. This can be beneficial for a penetration tester as they may be able to bypass a log in page and view content only intended for registered users, for example.


Cookie Tampering is the process of examining and editing cookies set by the web server during an online session. This has the potential to gain unauthenticated access, access to another users account or elevated privileges.

In the example below, the cookies were shown in plain text and could be edited using curl. In this case I was able to set the user type to admin and log the user in.


Sometimes cookies will be displayed as a hash, which are an irreversible representation of the original text. However the same output will be displayed every time, so the hashed cookie can be compared against databases such as  https://crackstation.net/ to check for their original strings.

Cookies can also be encoded, which can be reversed in order to get the original string. Once I have the original encoding type, I can edit the cookies by using the same encoding type (eg. base64) to encode my own strings and changing cookie values.

Comments

Post a Comment

Popular posts from this blog

BURPSUITE IN-DEPTH

Image
NOTE: This post will be a much deeper and in-depth dive in to some of the functionality of Burp Suite. If you need a quicker overview, please visit my  Burp Suite Basics  post.  Repeater The repeater function of Burp Suite allows us to take a request captured by Proxy, edit it and send the same request repetitively. This makes repeater ideal for any manual poking around at an endpoint. Basic Usage: The repeater interface can be split in the 6 main sections. Refer to the image above: List of requests that are going through Repeater. Controls for the current request, these allow us to send/cancel a hanging request and go forwards/backwards in a request history. Request/Response view. Requests are edited in the Request view and Responses will show up in the Response view. Allows us to change the layout for the Request and Response view. The inspector allows us to break requests apart and analyse and edit them in a more intuitive way than the raw editor. The IP address o...
Read more

CROSS-SITE SCRIPTING

Image
Cross-Site Scripting (XSS) is an injection attack where malicious JavaScript gets injected into a web application with the intention of being executed by other users.  XSS Payloads In XSS the payload is the JavaScript code we wish to be executed on the targets machine. The payload is comprised of two parts, the intention and the modification. The intention is what the attacker intends the JavaScript to execute and the modification is the changes the attacker needs to do on the code to make it execute in each specific scenario.  Proof of Concept This is a simple payload in order to prove that an attacker can actually achieve XSS on a website: <script>alert('XSS');</script> Session Stealing Details of a users session, such as log in tokens are often kept in cookies on the targets machine. The below JavaScript takes the target's cookie, base64 encodes it to ensure successful transmission and then posts it to a website under the attackers control <script>fet...
Read more

NMAP ADVANCED SCANS

Image
In this post we will be covering techniques to evade firewalls and IDS systems ad well as more advanced scans and scan options, such as: Null Scan FIN Scan Xmas Scan Maimon Scan Ack Scan Window Scan Custom Scan We will also cover the following: Spoofing IP Spoofing MAC Decoy Scan Fragmented Packets Idle/Zombie Scan Null, FIN and XMAS Scans These scans can be efficient when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag to detect a connecting attempt. Using a flag combination that does not match the SYN packets could make it possible to deceive a firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packed and render this kind of scan useless. Null Scan Null scan does not set any flag at all; all six flag bits are set to zero. We can use this option with -sN . A TCP Packet with no flags set will not trigger a response when it ...
Read more