Authentication Bypass
Username Enumeration
Try a random username that probably does not exist, and then try one that probably exists, is there a different error?
We can use the existence of this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool below
The ffuf tool uses a list of commonly used usernames to check against for any matches.
Capture the request in
Burp
to find theContent-Type
, whether its aGET
orPOST
-w
-> selects the file's location-X
-> argument specifies the request method-d
-> the data that we are going to sendFUZZ
-> keyword signifies where the contents from our wordlist will be inserted in the request-H
-> for adding additional headers to the request-u
-> specifies the URL we are making the request to-mr
-> is the text on the page we are looking for to validate we've found a valid username
Password Brute force attack
Previously we used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because we're using multiple wordlists, we have to specify our own FUZZ keyword.
W1
-> for our valid list of usernamesW2
-> for the list of passwords we are going to try-w
-> the multiple word lists are also specified with this flag-fc
-> this argument check for an HTTP status code other than a 200
Authentication Bypass Logic Flaw
If a specific url is blocked without authentication like
/admin
, depending on the code you may be able to bypass it.Try:
Finding password reset forms
If there is an option always make an account. There could be pages you have access to that you otherwise would not.
Also if there is a password reset option on the site you might be able to get their password reset link sent to you.
Use curl to figure out how the parameters are passed to the server, in this example the username is a
POST
field and the email address is aGET
field
-H
-> to add an additional header to the request. In this case we are setting theContent-Type
toapplication/x-www-form-urlencoded
Can find this out in burp, or set something ourselves
The
PHP $_REQUEST
variable is an array that contains data received from the query string and POST data. - If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, so if we add another parameter to the POST formWe can control where the password reset email gets delivered.
Now re-running the curl command we can alter where the reset link is sent
Cookie Tampering
Decode the stored cookies and see if you can manipulate them before making curl requests with the new tampered cookies.
First, we'll start just by requesting the target page:
We can see we are returned a message of: Not Logged In
Now we'll send another request with the logged_in cookie set to true and the admin cookie set to false:
We are given the message: Logged In As A User
Finally, we'll send one last request setting both the logged_in and admin cookie to true:
This returns the result: Logged In As An Admin
strcmp() PHP bypass
If you are able to get access to some php course code that uses
strcmp()
for checking usernames and passwords, bypassing it can be trivial
By capturing the authentication in burp you can turn the username and or password field into an array, bypassing the authentication, in this instance we must do it for both the username and password fields.
When submitting a normal request, we are informed that
'Wrong Username or Password'
However, once we change our parameters into an array value with the fields === 0, we login
username[]=0&password[]=0
Last updated