# Authentication In other words, it involves making sure that they really are who they claim to be when trying to login or access the system. ## Vulnerabilities in password-based login ### Username Enumeration * Username enumeration via different responses when you try to brute-force and analysis each response: 1. If `Response length` is too long. 2. If `Response Completed Time` is too long. 3. Different `Response Text`. * `X-forward-for`: A mechanism to identify real client IP in request header & a good way for bypass brute-force protection (IP block protection). ### Many failed request & IP Block List of payloads should alternates between a valid username and a invalid username. \ **Example:** ```powershell USER-LIST: test/admin/test/admin/test PASS-LIST: aaaa/ABCDE/bbbb/EFGHI/cccc ``` ### Account Locking 1. Find maximum you can try a username (EX: 3). 2. Create an username-list for username enumeration and repeat each username more than max-try-number ( `test/test/test/test`). 3. Start brute-force for username enumeration. 4. Start brute-force for each user with a password-list. 5. "Username Enumeration" method (Response Text different). ### HTTP basic authentication #### Find a Bug in implementation! #### Example: #### If user's certificate send in HTTP header like `Authorization: Basic base64(username:password)`, you can brute-force it like all above solutions. ## Vulnerabilities in multi-factor authentication #### Some useful two-factor authentication tokens: * RSA token or keypad device. * Send SMS/Email verification codes. ### Bypassing #### Example: If username and password form in page-1 and two-factor authentication form in page-2: * If username, password and 2FA is true, you got to a panel (`/my-account`). * In page-1 enter victim username and password and in page-2 change the path to panel URL. ### Flawed in logic #### **Example:** * If in response page we have cookie like: `Set-Cookie: account=``test` * Change username to victim like: `Set-Cookie: account=``victim` ### Brute-forcing 2FA verification codes Sometimes if you enter the wrong code twice in page-2, you will be logged out again and redirect to page-1 (enter username and password). In this case you should save flow of request (`GET /login-1 --> POST /login-1 --> GET /login-2`). #### Then use 'Project Options/Session Handling Rules' in Burp Suite (macro) and do following state: 1. In Burp, go to "Project options", "Sessions". In the "Session Handling Rules" panel, click "Add". The "Session handling rule editor" dialog opens. 2. In the dialog, go to the "Scope" tab. Under "URL Scope", select the option "Include all URLs". Go back to the "Details" tab and under "Rule Actions", click "Add", "Run a macro". 3. Under "Select macro" click "Add" to open the "Macro Recorder". Select the following 3 requests (`GET /login-1 --> POST /login-1 --> GET /login-2`). 4. Use `Intruder` and brute-force verification-code parameter with one `Resource Pool`. ## Vulnerabilities in other authentication mechanisms ### Password reset poisoning via middleware **X-Forwarded-Host**: Host names and ports of reverse proxies(load balancer, CDNs) may differ from the origin server handling the request('Host' header), in that case the `X-Forwarded-Host` request header is useful to determine which Host was originally used. ### Changing user passwords 1. Find change password request. HTTP request parameter like this: `username=VICTIM¤t-password=777&new-password-1=123&new-password-2=123.` 2. Brute-force 'current-password' with victim username like: `username=VICTIM¤t-password=``FOO``&new-password-1=PASS&new-password-2=DIFF-PASS.` 3. Find valid password from grep-match a text. 4. Login to victim account.