LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[AUTHENTICATION]



GENERAL INFORMATION 0. Inspect the code. 1. User enumeration. 2. Sometimes to move faster it is better to enumerate/attack each field separately. 3. Check responses, look for differences in status code, length, response time, etc. 4. When length is consecutively changing, check for HTML messages, grep/extract something to match and compare.
BRUTE FORCE NOTE: Different tools can be used, [burpsuite/ffuf, etc]. Create wordlist associated to the content, use predefined, etc. - Intruder attack / cluster or sniper - In burpsuite it is better to use intruder > snipper attacks to move faster instead of intruder > cluster bomb. - ffuf attack - Wordlist can be created or rockyou can be used, or normal wordlists. SecLists :::: WHEN BROKEN If exists some kind of block, time-based, ip-based, more. PITCHFORK ATTACK! remember to set the resource pool to 1 concurrent requests to avoid to be blocked, also, sometimes it is better for the pitchfork attack.
2FA BY-PASS - First way to by-pass, use the same code. [valid user token] - Second way, check headers and URL>path from a valid session and replicate with vulnerable user. SAMPLE: try going directly to > /my-account?id=USER ----> this will be the URL redirection from a valid session. ::::: [BROKEN LOGIC]
SESSION MANAGEMENT NOTES: 1. It is important to inspect the source code, also, inspect the requests. 2. Some developers makes some mitakes leaking data in URL. 3. ::: COMMON MISTAKES - IDORS that provide administrative access. - It will possible to "improve" security adding the same values into the cookies. SAMPLES: http://IP_ADDR/bWAPP/smgmt_admin_portal.php?admin=0 | Cookie: PHPSESSID=VALUE; security_level=1; admin=0
BROKEN LOGIC ::::: [RESET FUNCTION] 1. Inspect all request/response using burpsuite. 2. If possible use and log information about the application with an authenticated session and without. Compare and check for differences. 3. Attempt same attack with enumerated users. SAMPLE: temp-forgot-password-token=TOKEN.8vwfct4qj0i89g&username=USER&new-password-1=PASS1&new-password-2=PASS2 ::::: [IP-BASED PROTECTION] - Some applications have some restrictions about IP-based / geolocation and more, one way to by-pass or attempt to by-pass the IP-based restriction is to use the header, "X-Forwarded-For". For the test, any number can be used or at least it is one attempt. SAMPLE: X-Forwarded-For:1 NOTE: X-Forwarded-For header can be used consecutively if needed to avoid restrictions. PITCHFORK ATTACK! - If exist some time-based protection associated to a block IP, check if exist some way to reset the counter, if yes, it will let you brute force different users avoiding to be blocked.
TIME DELAY For this testing it is important to use different users, if possible authenticated/valid session and non valid session. Comparing responses will be needed. Check RESPONSE TIME is essential. Check if response of invalid user takes more time than a valid user and viceversa, that can help to discover or associate valid authentication credentials. - Sometimes the process of checking the password can take time, that can represent the user is valid. - Check if exist some kind of block or protection based on IP, Geolocation, attempts, time-based,etc. analyze the form and how it works. - The usage of X-Forwarded-For can be applied. PITCHFORK ATTACK! - Analyze "response received / response completed" burp-columns.
ENUMERATION TECHNIQUES :::: ACCOUNT LOCK --> null payloads technique pre-reqs: -blank payload position to the end of the last field. SAMPLE: user=§user§&pass=test§§ So, you have two positions one for the user and the null generated at the end of the second position, "pass". The null technique will repeat the first position. Using the sample as reference, it will repeat the user.

©® - Since 2023