What is Authentication
Before studying Authentication Vulnerabilities, it is important to understand the basic concept of Authentication. Authentication is a process where a user is required to verify their credentials before logging in to a system. In Authentication, users are asked to provide their username/email and password on a login form, and upon successful verification, they are granted access to the system. Once the user is authenticated, they are given a session that identifies them as an authorized user, and they can then access the resources that they are authorized to use.
For example, platforms like Facebook or Twitter ask users to enter their username/email and password to log in. Once the user is authenticated, they can post updates and communicate with others. The common factor in all platforms is Authentication, where users verify their identity before accessing the resources they are authorized to use.
Authentication doesn’t necessarily mean that users only need to enter their email/username and password. There may be an extra layer of security, such as two-factor authentication (2FA) or fingerprint authentication, or private hardware key may be provided for authentication. The type of authentication used depends on the platform.
Now, coming to our main topic, Authentication Vulnerabilities.
What is Authentication Vulnerabilities
Authentication Vulnerabilities are related to the Authentication process and occur when an attacker targets and exploits the Authentication feature. Attackers may attempt to exploit Authentication Vulnerabilities by targeting login forms, signup forms, forgot password/reset password features, etc.
Although Authentication Vulnerabilities may seem small, they can have significant impacts when exploited. If an attacker successfully exploits this vulnerability, He/She can cause considerable damage to an organization or website. The fact that Authentication Vulnerabilities are ranked second in the OWASP Top 10 list highlights their significance in web application security.
Now that we have defined Authentication and Authentication Vulnerabilities, let’s explore them in more detail and solve some practical labs. By the end of this article, you will have a better understanding of Authentication Vulnerabilities, from the most basic to the most advanced, and you will be able to hunt for any kind of Authentication Vulnerability. So, keep reading!
Table of the content:
1: Username enumeration via Different responses
2: 2FA simple Bypass
3: Password Reset Broken Logic
4: Username Enumeration Via Subtly different Responses
5: Username Enumeration via response timing
6: Broken brute-force protection, ip block
7: Username Enumeration via Account Lock
8: 2FA Broken Logic
9: Offline Password Cracking
10:Password Reset Poisoning via Middleware
11: Password Brute-force via Password Change
12: Broken Brute-Force Protection, Multiple Credentials Per Request
13: 2FA Bypass using a Brute-Force Attack
Username enumeration via different responses
Username enumeration via different responses is a technique used by attackers to find valid usernames on a system before attempting to gain unauthorized access.
The attacker sends different usernames to the system’s login form and analyzes the response from the server, such as “invalid username” or “username not found,” to determine which usernames are valid.
Once the valid usernames are enumerated, the attacker can move on to the next step of the attack, such as using a brute force attack to guess passwords for the valid usernames. This technique can be prevented by configuring the system to respond with a generic error message for all invalid usernames, and by introducing a delay in the response time to make it harder for attackers to enumerate usernames.
We have reached our first lab, which we are going to solve. These labs are provided by the Web Security Academy, which is completely free and allows us to improve our skills by doing practical work.
In the screenshot above, you can clearly see the name of the lab. If you further study this lab, you will find that it provides two lists of candidate usernames and passwords. These lists contain possible combinations of usernames and passwords that an attacker could use to log in to the system.
In the next step, you access the lab and click on “My Account” after gaining access.
Once you access the lab, you can simply click on the “My Account” button. This will redirect you to the login form. In the login form, you can enter any random username and password and click on the login button. The purpose of entering a random username and password is to generate an error message from the application or server.
If you have focused on the lab’s name, you would know that we are enumerating usernames here via different responses. This means that we are trying to enumerate the username by analyzing the different responses generated by the application or server.
Based on your message, it seems that you have entered a random username “masaud” in the username field and “random password” in the password field, and clicked on the login button. The screenshot you have provided shows that you received a response saying “invalid username,” which indicates that the username you submitted is incorrect. This is a part of the process of username enumeration via different responses, where the application or server generates a specific response based on whether the entered username is valid or not.
Now we will intercept this login request in the Burp Suite software and send it to the Intruder. We will perform a brute force attack on it. A brute force attack is an attack where we have two large lists – one containing thousands or even millions of usernames and the other containing a large number of passwords. We cannot manually submit each username and password on the login page because it is not a good practice and it will take a lot of time. Therefore, we use automation tools to perform this process. With Burp Suite, we can automate this process. We just need to submit the lists of usernames and passwords there, and the tool will hit all of the usernames and passwords automatically. If a username and password match, we will know from the response.
Let’s continue with our lab.
I have submitted wrong credentials in the login form and intercepted the request in Burp Suite. Now, I will send this request to the Intruder, which is a feature of Burp Suite. You can find the Intruder option in the menu at the top. To send the request to Intruder, right-click on the intercepted request and select ‘send to Intruder’.
In the screenshot above, you can see that I have highlighted the username in Intruder. On the right side, you can see an “Add” button, which I clicked after marking the username. I did this because I am attempting to perform a bruteforce attack on the username in the first step, and once I find a valid username, I will move on to bruteforcing the password.
In the payload section, I will paste the list of usernames which was already provided to me in the lab, as I had mentioned earlier. Now, I will click on the “Start Attack” button to begin the attack.
So, please check the screenshot above where there is a username “ar” with different lengths. Let’s try this as a username.
When I tried the username “ar”, it gave me an “Incorrect password” message, which indicates that we have successfully enumerated the username as “ar”. Now we will move on to password bruteforcing to crack the password and gain access to the system.
Now, we have come back to the same request in Intruder, but this time we have added the password in the “Payloads” section. We will paste the list of passwords that we were provided in the lab. After pasting the passwords, we will click on “Start Attack” and the attack will begin.
Now, here is the final result of the attack. When I clicked 2-3 times on the length, I got a status of 302, which shows that I have successfully logged into the system. And if you analyze the length, you will see that it is different for each request. So, let’s try to log in to the system using this username and password.
So, we have successfully logged into the web application and solved the lab.
Our username was “ar” and the password was “11111111”. You have seen how we can perform a brute-force attack on any application’s login function by enumerating usernames via different responses and gain access to it or compromise it.
This is the first part of Authentication Vulnerabilities. We will continue this section further. You can refer to the table of contents that I have created earlier, and go through each sub-topic one by one, and practice them to complete the Authentication Vulnerabilities section. Once we complete the Authentication Vulnerabilities section, we will explore further web vulnerabilities. We will cover all the web vulnerabilities listed in the OWASP Top 10 one by one.
Don’t forget to follow me on Twitter @masaudsec