Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is the A los top 10 for 2013 82 broken authentication in session management Demo.
This demo is a brute force attack.
This is the demo for brute force attacks and weak password policies.
So you saying Mattila Day are vulnerable Web application? We're going to actually try to brute force an administrator account to get into this application.
So what we want to do is try to log in. We're going to
a test user. We're going to turn on our interceptor in burbs week
and go ahead and capture that request.
Now, we're gonna use burb sweet to actually perform this brute force attack.
And what we can do is the moment we've captured the request we can right click
send two intruder, and then you'll notice the intruder tab turns arch.
So what I'm gonna do is I'm actually going to
set up positions in this request to replace
the user name and password
preloaded payloads that I've created.
Now the first thing I need to do is get rid of these pre configured areas where you can replace values. So I'm just gonna click this clear,
and that gets rid of the question marks.
But I am interested in actually testing different values for user names. So I'm gonna
add my variables around that
as well as around password.
I'm going to change the attack type to a cluster bomb,
and I'm going to set up my payloads.
Now, the first payload is gonna be for position one, which is three user name and pale. 02 will be the password.
So let's go ahead and set that up. Now, I've created
a very small number of user names in my own file, and so I'm just loading that up.
And then I've done the same for the passwords. So I'm gonna load that,
okay. And then the options.
I'm not really going to add any additional options. I could add some sort of
exact match of maybe is a success string if I knew what that waas.
for now, we'll just leave that as it is.
So I've got everything set up,
and, uh, let's go ahead and start the attack. So you start the attack with this intruder menu at the top and select start attack.
This is letting me know that the free version of burp just contains some limited functionality in this area, which is fine.
I'm gonna pause the video. Wildest runs through and we'll come back and look at the results.
Okay? And so it's completed. Burp has finished. Now what I can do is look at the status here, And if it's anything other than 200 I'll know that something different happen.
So I'm gonna go ahead and click this. Now, what it tells me is that a 302 is actually have found. And so I was successful in finding two accounts, one of which is an admin account. So
this basically has allowed me to
brute force the admin account. So what I can do is I, Congar oh, ahead and take these values.
And if I just glanced at the response,
um, you can see that even in the response of the cookie has been set as admin, and I'm logged in as the user admin, so that's very good.
Um So what I'm going to do then is go ahead and close this.
Change this to admin.
Change the password to add admin pass
And if we take a look, we can see that we are now logged in
as theat ministrations.
So just a couple of notes in regards to this lesson.
There was no account lockout.
The password policy, which, if there is any at all,
did not require a certain length of the passwords it allowed for dictionary words.
And also the passwords were not hashed,
so there was no hashing function used. There was obviously no salt as well. That was added for that. So, ah, lot of problems. A lot of issues with the password handling for authentication within this application.