00:04
Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is the A los top 10 for 2013 82 broken authentication in session management Demo.
00:20
This demo is a brute force attack.
00:24
This is the demo for brute force attacks and weak password policies.
00:32
So you saying Mattila Day are vulnerable Web application? We're going to actually try to brute force an administrator account to get into this application.
00:45
So what we want to do is try to log in. We're going to
00:53
a test user. We're going to turn on our interceptor in burbs week
01:00
and go ahead and capture that request.
01:03
Now, we're gonna use burb sweet to actually perform this brute force attack.
01:08
And what we can do is the moment we've captured the request we can right click
01:18
send two intruder, and then you'll notice the intruder tab turns arch.
01:26
So what I'm gonna do is I'm actually going to
01:30
set up positions in this request to replace
01:34
the user name and password
01:40
preloaded payloads that I've created.
01:44
Now the first thing I need to do is get rid of these pre configured areas where you can replace values. So I'm just gonna click this clear,
01:55
and that gets rid of the question marks.
01:57
But I am interested in actually testing different values for user names. So I'm gonna
02:05
add my variables around that
02:08
as well as around password.
02:13
I'm going to change the attack type to a cluster bomb,
02:19
and I'm going to set up my payloads.
02:23
Now, the first payload is gonna be for position one, which is three user name and pale. 02 will be the password.
02:30
So let's go ahead and set that up. Now, I've created
02:37
a very small number of user names in my own file, and so I'm just loading that up.
02:46
And then I've done the same for the passwords. So I'm gonna load that,
02:53
okay. And then the options.
02:58
I'm not really going to add any additional options. I could add some sort of
03:04
exact match of maybe is a success string if I knew what that waas.
03:14
for now, we'll just leave that as it is.
03:16
So I've got everything set up,
03:20
and, uh, let's go ahead and start the attack. So you start the attack with this intruder menu at the top and select start attack.
03:30
This is letting me know that the free version of burp just contains some limited functionality in this area, which is fine.
03:39
I'm gonna pause the video. Wildest runs through and we'll come back and look at the results.
03:46
Okay? And so it's completed. Burp has finished. Now what I can do is look at the status here, And if it's anything other than 200 I'll know that something different happen.
04:00
So I'm gonna go ahead and click this. Now, what it tells me is that a 302 is actually have found. And so I was successful in finding two accounts, one of which is an admin account. So
04:17
this basically has allowed me to
04:20
brute force the admin account. So what I can do is I, Congar oh, ahead and take these values.
04:30
And if I just glanced at the response,
04:33
um, you can see that even in the response of the cookie has been set as admin, and I'm logged in as the user admin, so that's very good.
04:46
Um So what I'm going to do then is go ahead and close this.
04:55
Change this to admin.
04:58
Change the password to add admin pass
05:05
And if we take a look, we can see that we are now logged in
05:11
as theat ministrations.
05:14
So just a couple of notes in regards to this lesson.
05:17
There was no account lockout.
05:20
The password policy, which, if there is any at all,
05:26
did not require a certain length of the passwords it allowed for dictionary words.
05:33
And also the passwords were not hashed,
05:38
so there was no hashing function used. There was obviously no salt as well. That was added for that. So, ah, lot of problems. A lot of issues with the password handling for authentication within this application.