Demo: Identification and Authentication Failures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome back to Mutillidae.
00:00
But this time we're going to look at
00:00
the OWASP 2017 version
00:00
of broken authentication and session management.
00:00
What you'll notice is while we go
00:00
through this whole course,
00:00
is if we look at something like authentication bypass
00:00
via SQL injection login,
00:00
we've already done that before.
00:00
There's some commonalities between
00:00
some of these OWASP top 10,
00:00
like I talked about injection attacks before.
00:00
Let's look at username enumeration,
00:00
which I talked about in the slides.
00:00
but let's go to login.
00:00
Now, typically, applications
00:00
will have an admin user by default.
00:00
What I like to do is something like
00:00
admin and then I'll put
00:00
something like admin for
00:00
default credentials and see if that works.
00:00
This is password incorrect.
00:00
What I'll do then is try
00:00
something that I know won't work.
00:00
How about no user?
00:00
Because that's not really a typical username.
00:00
Any password I want,
00:00
and I'll see is this account does not exist.
00:00
What can I do from here?
00:00
I can try to see if there's maybe someone named
00:00
Jim and see what their password is.
00:00
I'll just try Jim.
00:00
This is password incorrect.
00:00
From here I can start building a list of
00:00
valid users to then
00:00
try password brute forcing attacks width.
00:00
This is something that if there's a bug bounty program,
00:00
you would want to report that.
00:00
Some places say it's too low impacts,
00:00
some places appreciate this,
00:00
some places pay you, some places don't.
00:00
That's just the joy of bug bounty programs.
00:00
But definitely if I was an engagement for
00:00
a client in the consulting world
00:00
or a part of an internal pen test team,
00:00
I would want to report this because we don't want to
00:00
have different responses for
00:00
people to enumerate valid users.
00:00
We don't want the same response,
00:00
whether it's valid or invalid.
00:00
That goes for username and password.
00:00
We don't want it to say
00:00
invalid username or invalid password
00:00
depending on what you type.
00:00
We want just a generic invalid
00:00
username or password message
00:00
to be displayed.
00:00
You'll see this too with password resets.
00:00
Sometimes it will tell you an email has
00:00
been sent to and it tells you
00:00
the person's e-mail address.
00:00
That's really bad Cyber security hygiene.
00:00
From here, I'd of course pivot
00:00
into doing a brute force attack,
00:00
which I'll show you a bit later.
00:00
But if I'm lucky,
00:00
people have easily guessed or weak passwords.
00:00
I'll try Jim again and I'll try password
00:00
and you can see I've successfully logged in as Jim.
00:00
Let's take a look here at
00:00
broken authentication session management
00:00
for privilege escalation.
00:00
If I right-click and go to Inspect,
00:00
I am going to go to Security, sorry,
00:00
application cookies and we see all these cookies here,
00:00
I see a user ID of seven,
00:00
I see show hints is one.
00:00
I see username is Jim,
00:00
and I see a PHP session ID.
00:00
What if I change Jim to admin?
00:00
Because we know there's an admin user and I refresh that,
00:00
and I refresh this.
00:00
We can see that nothing changes.
00:00
Okay, well, we see we're user ID is seven,
00:00
maybe the admin user is one.
00:00
We'll then refresh this.
00:00
We will refresh the browser and now look what happened.
00:00
We are now successfully logged in as an admin.
00:00
We've successfully escalator our privileges
00:00
because we were able to look at the cookies and
00:00
the user ID and go from
00:00
seven to one and now we are the admin user.
00:00
Let's log out of this and let's look
00:00
at authentication bypass via brute force login.
00:00
These you have to use your imagination,
00:00
but what I'm going to do here is I'm going to use
00:00
Burp Suites intruder module.
00:00
What I've done is I've taken the post requests
00:00
from logging in as,
00:00
well, here you can see test password test
00:00
and I'm going to use the attack type of cluster bomb.
00:00
It's going to iterate through the list of
00:00
usernames and iterate through the list of passwords.
00:00
So then try every combination of usernames and passwords.
00:00
I'll get the most bang for our buck.
00:00
I know that's a dad joke, cluster bomb, bang, boom.
00:00
Anyway. Let's look at payloads. Number 1.
00:00
I've been able to do to
00:00
the difference in valid users versus Invalid users,
00:00
enumerate the fact that Jim,
00:00
admin, and Bryce are all
00:00
valid usernames for payload set 1 and payload set 2,
00:00
here are my passwords.
00:00
Here's some easily guessed or default passwords.
00:00
Then I'm going to launch
00:00
my brute force attack by simply doing start attack.
00:00
I have the paid version, so it's going to go quickly.
00:00
If you have the community edition,
00:00
it will go a lot slower than this.
00:00
What I'd like to look at,
00:00
I like to sort this by, is usually status.
00:00
To 302 redirects for Jim and Bryce,
00:00
then also, the length is different.
00:00
Basically, what this shows me is that Jim and Bryce
00:00
both have a redirect to if I look at the response,
00:00
typically the location will tell
00:00
me to this endpoint here.
00:00
But I'm going to go ahead and guess that that's valid,
00:00
that's a valid username password combination.
00:00
Of course, a weak password.
00:00
We've already logged in as Jim.
00:00
Let's try Bryce now.
00:00
We'll do Bryce and we'll do password.
00:00
Now we can see we are successfully logged in as Bryce.
00:00
Of course, we can look at cookies
00:00
and see that Bryce is five.
00:00
I could then go to four.
00:00
I'm going to guess I'll log in as someone
00:00
else. Now I'm Jeremy.
00:00
These are all illustrating the concepts
00:00
of broken authentication and for motility,
00:00
that is authentication bypass
00:00
you do that via brute force logins.
00:00
We also looked at privilege escalation via
00:00
cookies and username enumeration,
00:00
which we can see a different response with
00:00
a valid user versus an invalid user,
00:00
which helped us build our username list
00:00
for our brute force attack.
Up Next
Scenario: The Colonial Pipeline Hack
10m
Lab: Identification and Authentication Failures
45m
Instructed By
