search
githubEdit

Authentication Bypass

hashtag
HTTP Verb Tampering

Bypass authentication by changing HTTP method.

hashtag
Check Accepted Methods

curl -i -X OPTIONS http://TARGET/admin/
# Look for: Allow: POST,OPTIONS,HEAD,GET

hashtag
Bypass Authentication

# If GET/POST require auth, try HEAD
curl -X HEAD http://TARGET/admin/reset.php

# Or try other methods
curl -X PUT http://TARGET/admin/
curl -X PATCH http://TARGET/admin/
curl -X DELETE http://TARGET/admin/

hashtag
Insecure Server Config Example (Apache)

<!-- Vulnerable: only protects GET -->
<Limit GET POST>
    Require valid-user
</Limit>

<!-- Secure: protects all methods -->
<LimitExcept GET POST>
    Require valid-user
</LimitExcept>

hashtag
Bypass Security Filters via Verb Change

If WAF/filter only checks POST params:

Burp: Right-click request > Change Request Method

hashtag
Username Enumeration

  • Try a random username that probably does not exist, and then try one that probably exists, is there a different error?

  • We can use the existence of this error message to produce a list of valid usernames already signed up on the system by using the ffuf tool below

  • The ffuf tool uses a list of commonly used usernames to check against for any matches.

  • Capture the request in Burp to find the Content-Type, whether its a GET or POST

  • -w -> selects the file's location

  • -X -> argument specifies the request method

  • -d -> the data that we are going to send

  • FUZZ -> keyword signifies where the contents from our wordlist will be inserted in the request

  • -H -> for adding additional headers to the request

  • -u -> specifies the URL we are making the request to

  • -mr -> is the text on the page we are looking for to validate we've found a valid username

hashtag
Password Brute force attack

  • Previously we used the FUZZ keyword to select where in the request the data from the wordlists would be inserted, but because we're using multiple wordlists, we have to specify our own FUZZ keyword.

  • W1 -> for our valid list of usernames

  • W2 -> for the list of passwords we are going to try

  • -w -> the multiple word lists are also specified with this flag

  • -fc -> this argument check for an HTTP status code other than a 200

hashtag
Authentication Bypass Logic Flaw

  • If a specific url is blocked without authentication like /admin, depending on the code you may be able to bypass it.

  • Try:

hashtag
Finding password reset forms

  • If there is an option always make an account. There could be pages you have access to that you otherwise would not.

  • Also if there is a password reset option on the site you might be able to get their password reset link sent to you.

  • Use curl to figure out how the parameters are passed to the server, in this example the username is a POST field and the email address is a GET field

  • -H -> to add an additional header to the request. In this case we are setting the Content-Type to application/x-www-form-urlencoded

  • Can find this out in burp, or set something ourselves

  • The PHP $_REQUEST variable is an array that contains data received from the query string and POST data. - If the same key name is used for both the query string and POST data, the application logic for this variable favours POST data fields rather than the query string, so if we add another parameter to the POST form

  • We can control where the password reset email gets delivered.

  • Now re-running the curl command we can alter where the reset link is sent

hashtag
Cookie Tampering

  • Decode the stored cookies and see if you can manipulate them before making curl requests with the new tampered cookies.

  • First, we'll start just by requesting the target page:

  • We can see we are returned a message of: Not Logged In

  • Now we'll send another request with the logged_in cookie set to true and the admin cookie set to false:

  • We are given the message: Logged In As A User

  • Finally, we'll send one last request setting both the logged_in and admin cookie to true:

  • This returns the result: Logged In As An Admin

hashtag
strcmp() PHP bypass

  • If you are able to get access to some php course code that uses strcmp() for checking usernames and passwords, bypassing it can be trivial

Example of php source code using strcmp()

  • By capturing the authentication in burp you can turn the username and or password field into an array, bypassing the authentication, in this instance we must do it for both the username and password fields.

  • When submitting a normal request, we are informed that 'Wrong Username or Password'

  • However, once we change our parameters into an array value with the fields === 0, we login

  • username[]=0&password[]=0

  • Variant: Sending only the password as an array can be enough: username=admin&password[]=strcmp(array(), "password") returns NULL in PHP; if the code compares that to 0 (e.g. == 0), it evaluates true and bypasses the check.

PreviousSSI & XSLT InjectionNextCmd Injection

Last updated