☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Vulnerabilities in password-based login
  • Username Enumeration
  • Many failed request & IP Block
  • Account Locking
  • HTTP basic authentication
  • Vulnerabilities in multi-factor authentication
  • Bypassing
  • Flawed in logic
  • Brute-forcing 2FA verification codes
  • Vulnerabilities in other authentication mechanisms
  • Password reset poisoning via middleware
  • Changing user passwords
  1. Offensive Security
  2. Web Attacks
  3. Server Side

Authentication

Authentication is the process of verifying the identity of a given user or client.

In other words, it involves making sure that they really are who they claim to be when trying to login or access the system.

Vulnerabilities in password-based login

Username Enumeration

  • Username enumeration via different responses when you try to brute-force and analysis each response:

  1. If Response length is too long.

  2. If Response Completed Time is too long.

  3. Different Response Text.

  • X-forward-for: A mechanism to identify real client IP in request header & a good way for bypass brute-force protection (IP block protection).

Many failed request & IP Block

List of payloads should alternates between a valid username and a invalid username.

Example:

USER-LIST: test/admin/test/admin/test
PASS-LIST: aaaa/ABCDE/bbbb/EFGHI/cccc

Account Locking

  1. Find maximum you can try a username (EX: 3).

  2. Create an username-list for username enumeration and repeat each username more than max-try-number ( test/test/test/test).

  3. Start brute-force for username enumeration.

  4. Start brute-force for each user with a password-list.

  5. "Username Enumeration" method (Response Text different).

HTTP basic authentication

Find a Bug in implementation!

Example:

If user's certificate send in HTTP header like Authorization: Basic base64(username:password), you can brute-force it like all above solutions.

Vulnerabilities in multi-factor authentication

Some useful two-factor authentication tokens:

  • RSA token or keypad device.

  • Send SMS/Email verification codes.

Bypassing

Example:

If username and password form in page-1 and two-factor authentication form in page-2:

  • If username, password and 2FA is true, you got to a panel (/my-account).

  • In page-1 enter victim username and password and in page-2 change the path to panel URL.

Flawed in logic

Example:

  • If in response page we have cookie like: Set-Cookie: account=test

  • Change username to victim like: Set-Cookie: account=victim

Brute-forcing 2FA verification codes

Sometimes if you enter the wrong code twice in page-2, you will be logged out again and redirect to page-1 (enter username and password).

In this case you should save flow of request (GET /login-1 --> POST /login-1 --> GET /login-2).

Then use 'Project Options/Session Handling Rules' in Burp Suite (macro) and do following state:

  1. In Burp, go to "Project options", "Sessions".

In the "Session Handling Rules" panel, click "Add". The "Session handling rule editor" dialog opens.

  1. In the dialog, go to the "Scope" tab. Under "URL Scope", select the option "Include all URLs".

Go back to the "Details" tab and under "Rule Actions", click "Add", "Run a macro".

  1. Under "Select macro" click "Add" to open the "Macro Recorder".

Select the following 3 requests (GET /login-1 --> POST /login-1 --> GET /login-2).

  1. Use Intruder and brute-force verification-code parameter with one Resource Pool.

Vulnerabilities in other authentication mechanisms

Password reset poisoning via middleware

X-Forwarded-Host: Host names and ports of reverse proxies(load balancer, CDNs) may differ from the origin server handling the request('Host' header), in that case the X-Forwarded-Host request header is useful to determine which Host was originally used.

Changing user passwords

  1. Find change password request. HTTP request parameter like this:

    username=VICTIM&current-password=777&new-password-1=123&new-password-2=123.

  2. Brute-force 'current-password' with victim username like:

    username=VICTIM&current-password=FOO&new-password-1=PASS&new-password-2=DIFF-PASS.

  3. Find valid password from grep-match a text.

  4. Login to victim account.

PreviousBusiness LogicNextFile Upload

Last updated 8 months ago

🏴‍☠️
Page cover image