Ctrlk
Edit

Authentication Bypass

HTTP Verb Tampering

Bypass authentication by changing HTTP method.

Check Accepted Methods

curl -i -X OPTIONS http://TARGET/admin/
# Look for: Allow: POST,OPTIONS,HEAD,GET

Bypass Authentication

# If GET/POST require auth, try HEAD
curl -X HEAD http://TARGET/admin/reset.php

# Or try other methods
curl -X PUT http://TARGET/admin/
curl -X PATCH http://TARGET/admin/
curl -X DELETE http://TARGET/admin/

Insecure Server Config Example (Apache)

<!-- Vulnerable: only protects GET -->
<Limit GET POST>
    Require valid-user
</Limit>

<!-- Secure: protects all methods -->
<LimitExcept GET POST>
    Require valid-user
</LimitExcept>

Bypass Security Filters via Verb Change

If WAF/filter only checks POST params:

Burp: Right-click request > Change Request Method

Combining Verb Tampering with Header Injection

Some applications restrict admin pages to internal IPs. Combine a non-standard HTTP method with IP spoofing headers:

Username Enumeration

  • Try a random username that probably does not exist, and then try one that probably exists, is there a different error?

  • We can use the existence of this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool below

  • The ffuf tool uses a list of commonly used usernames to check against for any matches.

  • Capture the request in Burp to find the Content-Type, whether its a GET or POST

  • -w -> selects the file's location

  • -X -> argument specifies the request method

  • -d -> the data that we are going to send

  • FUZZ -> keyword signifies where the contents from our wordlist will be inserted in the request

  • -H -> for adding additional headers to the request

  • -u -> specifies the URL we are making the request to

  • -mr -> is the text on the page we are looking for to validate we've found a valid username

Password Brute force attack

  • Previously we used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because we're using multiple wordlists, we have to specify our own FUZZ keyword.

  • W1 -> for our valid list of usernames

  • W2 -> for the list of passwords we are going to try

  • -w -> the multiple word lists are also specified with this flag

  • -fc -> this argument check for an HTTP status code other than a 200

Authentication Bypass Logic Flaw

  • If a specific url is blocked without authentication like /admin, depending on the code you may be able to bypass it.

  • Try:

Finding password reset forms

  • If there is an option always make an account. There could be pages you have access to that you otherwise would not.

  • Also if there is a password reset option on the site you might be able to get their password reset link sent to you.

  • Use curl to figure out how the parameters are passed to the server, in this example the username is a POST field and the email address is a GET field

  • -H -> to add an additional header to the request. In this case we are setting the Content-Type to application/x-www-form-urlencoded

  • Can find this out in burp, or set something ourselves

  • The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. - If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, so if we add another parameter to the POST form

  • We can control where the password reset email gets delivered.

  • Now re-running the curl command we can alter where the reset link is sent

Cookie Tampering

  • Decode the stored cookies and see if you can manipulate them before making curl requests with the new tampered cookies.

  • First, we'll start just by requesting the target page:

  • We can see we are returned a message of: Not Logged In

  • Now we'll send another request with the logged_in cookie set to true and the admin cookie set to false:

  • We are given the message: Logged In As A User

  • Finally, we'll send one last request setting both the logged_in and admin cookie to true:

  • This returns the result: Logged In As An Admin

strcmp() PHP bypass

  • If you are able to get access to some php course code that uses strcmp() for checking usernames and passwords, bypassing it can be trivial

Example of php source code using strcmp()

  • By capturing the authentication in burp you can turn the username and or password field into an array, bypassing the authentication, in this instance we must do it for both the username and password fields.

  • When submitting a normal request, we are informed that 'Wrong Username or Password'

  • However, once we change our parameters into an array value with the fields === 0, we login

  • username[]=0&password[]=0

  • Variant: Sending only the password as an array can be enough: username=admin&password[]=strcmp(array(), "password") returns NULL in PHP; if the code compares that to 0 (e.g. == 0), it evaluates true and bypasses the check.

PreviousSSI & XSLT InjectionNextCmd Injection

Last updated