Authentication Bypass |
Overview Authentication Bypass is generally custom for each web application which possesses the vulnerability. However, there are some common abuse case patterns. Discovery Methodology Attempt to discover if SQL injection is present as this vulnerability often allows authentication bypass. If possible aquire a standard user account and an administrator account from the client. Authenticate with both carefully noting any differences in the session tokens, cookies, and/or hidden fields. If the testing is black box, register for multiple user accounts carefully noting differences between the accounts after authentication. Exploitation (SQL Injection) Login Use SQL Injection to bypass authentication on the login page. See the SQL Injection hints or the SQL injection tutorial for help on SQL injection. This can be done using the name field to authenticate as the first user found in the user table.
Username: ' or 'a' = 'a' --
Password: whatever
To target a particular user, identify the user. (Note: This site is vulnerable to username disclosure.) Complete the "username" portion of the query with the target username then bypass the password portion of the query by creating a tautalogy or simply commenting out the password portion. Bypass password with a tautalogy
Username: jeremy
Password: ' or ('a' = 'a' and username='jeremy') or '
Comment out the password portion of the query
Username: jeremy' --
Password: whatever
Exploitation (Authentication Token Manipulation) Alter the values of any authentication and/or authorization tokens found such as those in cookies. This will work on any page post-authentication. Register for an account to explore how the site uses cookies. Gaining Access: Using insecure client-side authentication tokens Page: Any page Tool: Cookies Manager+ version 1.5.1 (verified with Firefox 4.0.1) Note what cookies the site has by default Create a test account Login using test account Check what cookies the site has after authentication Differential Analysis: Change the value of the original auth cookie Work backwards until admin account is found Exploitation (CBC bit flipping attack) Try bit flipping, oracle padding, and cbc bit flipping attacks on authentication and/or authorization tokens. View User Privileges Exploitation (Authentication Token Hijack) Use a cross site script attack to trick a lab partner into visiting the data capture page while authenticated. Use Cookie Manager Plus to create or edit cookies in order to become that user. Data Capture View Captured Data Exploitation (Browser Fingerprint Spoofing) On captive portal systems, spoofing an unsupported browser may bypass some controls User-Agent Impersonation Videos Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Brute Force Authentication using Burp-Intruder Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Bypass Authentication using SQL Injection Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Bypass Authentication via Authentication Token Manipulation Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Using Hydra to Brute Force Web Forms Based Authentication Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Analyze Session Token Randomness using Burp-Suite Sequencer Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Using Ettercap and SSLstrip to Capture Credentials Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Introduction to Password Cracking with John the Ripper |