Hello and welcome to the cyber very secure coding course my name Miss Anywhere in this is O OSS top 10 for 2013
a two broken authentication and session management demo.
Use your name in new Marais Shin via a web service.
This is the demo for user name in New Marais Shin via a soap web service.
We're gonna use Mattila Day and under the broken authentication session Manage section.
We have user name in new Marais Shin.
We're going to attempt this.
Threw the soap Web service call.
So just one thing to note before we get started is I am using an add on
to burbs. Suite is called Whistler.
This is an extension that you can get from the burp app store and so you can download that
and just add it in as a burp extension.
It's gonna provide some parsing functionality to us, which makes it much nicer to work with whizzed ALS.
So going back to the proxy tab we have our intercept on.
We are going to click the whistle in order to capture that in our request.
And so what we can do is we know it's a wisdom because after the get we actually see Ah whizzed a ll there. Now we're gonna go ahead and parse this Whizzed a ll using our burp extender
And so we can go to the Whistler
and we can see all the operations that are in this wisdom.
Now, since we're doing user name in new Marais Shin, we're interested in the get user operation.
Now for this particular request, we don't actually have a name for the user name, but this is this is the operation that were interested in and we're interested in in new Marais ting
A cz many user names that are valid in the application as we can get.
The purpose, of course, is to then try to brute force the valid accounts.
Now, in order to do this, we probably should go ahead and send this to the repeater
so that we can capture the response and compare the response of an account that doesn't exist with the response oven account that does exist.
So what I can do is I can click go,
and that gives me the response. Now, in this particular response,
we can see that the get user response is
that this particular user does not exist. Okay,
I'm going to send this on to the compare er,
and we're going to take a look at that
after we send another request.
So let's go ahead and
interceptor request again.
So I'm gonna turn on the interceptor.
Uh, this is my wisdom. So I'm going to once again
and but this time I want to send it to the repeater and actually want to change
to a valid one. So I'm gonna type in Sonny
and click the go button.
So this is my response. I'm gonna send this response to the compare.
Now, I have two different responses to compare.
I've got the one that was invalid or the account didn't exist. And then I have a valid one. I can compare these responses the the words by clicking this compare words
and you can synchronize the views. In this case, it's very short. But you can synchronize the views so that if you had a scroll by here, they would scroll together
things that are different. Obviously, the time stamps are gonna be different. The content length is different.
what is of interest to us. It says that this user does not exist. But in this one, I have results for Sonny.
Okay, I think I can use that to my advantage. So
Go back to the repeater.
So here you have your your two requests and responses. Right? So
this one tab shows me where the user did not exist in two shows me where the user did exist. So what I would like to do is I would actually like to send this response to the intruder,
in new Marais, tw all of the valid users that Aaron this application.
when you first come into the intruder, it's going to set up these replacement variables at various
locations where it thinks you you may want to substitute values. I don't really want these preset ones here, so I'm gonna clear.
But I am going to replace the name of my user,
so I'm going to put the variables around this one,
okay? And so this becomes my baseline.
I'm gonna leave the attack style as sniper because it's just this one variable that I'm replacing with one value
now, if I go to my payloads, I actually have a
file that I've created ahead of time that has some user names in it.
So I'm just gonna load that payload here.
She can see I've got some user names there.
We are going to add a payload processing rule,
in regards to the case. We're gonna modify case sensitivity to just be lower case just to make things consistent.
Okay, I want to enable that.
And then finally, I want to go to the options. If you remember, we had that
string that we could grip on results for.
Ah, so let's go ahead and
and that so that we can grab for those
Okay, So results for
Okay, so So the ending is fine. Um, I actually want
I actually want this
for my ending, but for the start, I want results for I'll go ahead and put a space there as well.
Okay, so it's going to grab
in every single every single time. It sends a possible user name.
It's going to grab to see if the Web service
actually returns that message. That says results for
okay. And so I think we're ready to begin our attack, so we're going to start the attack,
All right? And so what you see here is a column called Results for That's what we said we wanted to grab for.
And Sonny is Thebe Baseline, so that one really doesn't count.
But look at the ones that did match. We've got admin John, Jeremy, Brice and Jim.
So that means that all of these are valid user names inside of the application. And so this becomes my
user name Enumeration result.
Now, it did not match on Soo Happy or Gilmore
if I were to take a look at the response for any of these
Ah, I goto the response tab
and I can actually see additional information. Right? So I can see the signature
for this particular user
and so this is the first step that would be done in order to
determine all the valid accounts for a particular application. The next step would be the brute force attack where you then take all of these valid accounts and then try to guess in a brute force manner. What the passwords are
now one last note to this from a secure coding perspective.
As application developers, we don't necessarily think about the fact that we might be putting in too much information in a response. And so this is a case where we had
in the response a particular clue that let us know that one account was valid, whereas another one was not. And so what we would want to do is make some sort of consistent message whether
the account is valid or not, so that an attacker couldn't key off of,
ah, particular words and grew up for those and so So this helped to illustrate how easy it is for this type of attack to be done.