Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • What is Authentication?
  • Authentication vs Authorization
  • How Do Authentication Vulnerabilities Arise?
  • Impact of Vulnerable Authentication
  • Vulnerabilities in Password-Based Authentication
  • Vulnerabilities in Multi-Factor Authentication (MFA)
  • Broken Login Logic
  • Session and Token Validation
  • Best Practices to Mitigate Authentication Vulnerabilities

Was this helpful?

  1. Writeups
  2. Portswigger Labs

Authentication

What is Authentication?

Authentication is the process of verifying the identity of a user or client, ensuring they are who they claim to be.

Three Authentication Factors

  1. Knowledge Factors:

    • Something you know, such as:

      • A password.

      • The answer to a security question.

  2. Possession Factors:

    • Something you have, such as:

      • A mobile phone.

      • A hardware security token.

  3. Inherence Factors:

    • Something you are or do, such as:

      • Biometric data (e.g., fingerprints, facial recognition).

      • Behavioral patterns.

Authentication vs Authorization

  1. Authentication:

    • Verifies a user's identity.

    • Answers: "Who are you?"

  2. Authorization:

    • Verifies if a user has permission to perform specific actions or access certain resources.

    • Answers: "What are you allowed to do?"

How Do Authentication Vulnerabilities Arise?

  1. Weak Authentication Mechanisms:

    • Insufficient protection against brute-force attacks.

    • Inadequate validation of session tokens or credentials.

  2. Logic Flaws:

    • Poorly designed workflows allow attackers to bypass authentication or force unexpected behavior.

  3. Coding Issues:

    • Vulnerabilities such as broken authentication mechanisms arise due to improper implementation.

Impact of Vulnerable Authentication

  • Account Compromise:

    • An attacker can access all the data and functionality available to the compromised account.

  • Privilege Escalation:

    • Compromising a high-privileged account (e.g., admin) could lead to full control of the application or even access to internal infrastructure.

  • Sensitive Data Exposure:

    • Even low-privileged accounts might provide access to commercially sensitive information or additional attack surfaces.

Vulnerabilities in Password-Based Authentication

1. Brute-Force Attacks

Attackers repeatedly guess usernames and passwords to gain access.

Indicators of Vulnerability

  • Username Enumeration:

    • Different website behaviors reveal whether a username exists.

      • Status Codes: Different HTTP status codes for valid vs. invalid usernames.

      • Error Messages: Distinct error messages for incorrect username vs. incorrect password.

      • Response Times: Slight delays when verifying a valid username.

  • Flawed Brute-Force Protection:

    • Weak account lockout policies (e.g., allowing DoS attacks via lockouts).

    • Rate limiting based solely on IP addresses, which can be bypassed with headers like X-Forwarded-For.

2. Password Reset Mechanisms

  • Email-Based Password Reset:

    • If emails are not secured, attackers can intercept or manipulate reset links.

  • Resetting via URL:

    • Attackers might modify hidden fields in requests to target other users or brute-force tokens.

Vulnerabilities in Multi-Factor Authentication (MFA)

1. Bypassing Two-Factor Authentication

  • Improper Flow Handling:

    • Users might effectively be logged in after completing only the first authentication step (e.g., entering a password) without verifying the second step.

    • Test if protected pages can be accessed directly (forced browsing).

  • Flawed Two-Factor Logic:

    • Verify if the second step properly validates the same user from the first step.

      • Example: An attacker changes the account cookie in the second step to impersonate another user.

2. Brute-Forcing OTPs

  • No Rate Limiting:

    • Test if OTPs can be brute-forced without restrictions.

  • Bypassing IP Blocks:

    • Use headers like X-Forwarded-For to evade IP-based rate limits.

    • Alternate between incorrect and correct credentials to bypass timed blocks.

3. OTP Reusability

  • Check if:

    • The same OTP can be reused multiple times.

    • OTPs remain valid after their expiration time.

    • OTPs generated for one user work for another user.

4. Tokens or OTPs in Responses

  • Analyze if tokens or OTPs are exposed in API responses, allowing interception or reuse.

Broken Login Logic

Forced Browsing

  • Test if users can skip authentication steps (e.g., OTP pages) and access protected pages directly.

Response Timing

  • If the server hashes passwords after validating usernames, response times might vary with the username's validity.

Session and Token Validation

1. Session Binding

  • Check if tokens are tied to a specific session or user.

  • Test if one user's token can be used for another user's session.

2. Token Manipulation

  • Attempt to remove tokens entirely to see if authentication is bypassed.

  • Test token reusability by attempting to use the same token multiple times.

Best Practices to Mitigate Authentication Vulnerabilities

  1. Secure Password Mechanisms:

    • Enforce strong password policies and hash passwords with a secure algorithm.

  2. Rate Limiting and Lockout Policies:

    • Limit login attempts per IP and user account.

  3. Secure MFA:

    • Validate that all steps in the authentication flow are tied to the same user session.

  4. Generic Error Messages:

    • Use consistent, generic error messages to prevent enumeration.

  5. Secure Tokens:

    • Tie tokens to specific sessions and ensure they are not exposed in API responses.

  6. Implement Role-Based Access Control (RBAC):

    • Limit account access based on the principle of least privilege.

PreviousPortswigger LabsNextUsername enumeration via different responses

Last updated 5 months ago

Was this helpful?