Day 2 | Broken Authentication | OWASP Top 10 tryhackme walkthrough
993 بار بازدید -
4 سال پیش
-
OWASP Top 10 Learn one
OWASP Top 10
Learn one of the OWASP vulnerabilities every day for 10 days in a row.
In this video, CyberWorldSec shows you how to solve tryhackme OWASP Top 10 CTF
Capture The Flags, or CTFs, are a kind of computer security competition. Teams of competitors (or just individuals) are pitted against each other in a test of computer security skill.
🆘🆘NEED HELP?? Join the Discord Server: Discord: discord
FOLLOW ME EVERYWHERE
---------------------------------------------------
Instagram : Instagram: bug_bunty
Telegram group : https://t.me/ethical_hacker_learn
Discord: Discord: discord
Twitter: Twitter: cyberworlds3c
-------------------------------------------------
Disclaimer :
These materials are for educational and research purposes only.
These videos teach you cyber secuirty and all the practicals are conducted on a safe to test labs provided by tryhackme .
TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers, encorporating guides and challenges to cater for different learning styles. To know more go to https://tryhackme.com/about
---------------------------------------------
SUBSCRIBE for more videos!
Thanks for watching!
Cheers!
----------------------------------------------
Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data. The server can then keep track of users' actions.
If an attacker is able to find flaws in an authentication mechanism, they would then successfully gain access to other users’ accounts. This would allow the attacker to access sensitive data (depending on the purpose of the application). Some common flaws in authentication mechanisms include:
Brute force attacks: If a web application uses usernames and passwords, an attacker is able to launch brute force attacks that allow them to guess the username and passwords using multiple authentication attempts.
Use of weak credentials: web applications should set strong password policies. If applications allow users to set passwords such as ‘password1’ or common passwords, then an attacker is able to easily guess them and access user accounts. They can do this without brute forcing and without multiple attempts.
Weak Session Cookies: Session cookies are how the server keeps track of users. If session cookies contain predictable values, an attacker can set their own session cookies and access users’ accounts.
There can be various mitigation for broken authentication mechanisms depending on the exact flaw:
https://tryhackme.com/room/owasptop10
To avoid password guessing attacks, ensure the application enforces a strong password policy.
To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.
Implement Multi Factor Authentication - If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.
For this example, we'll be looking at a logic flaw within the authentication mechanism.
A lot of times what happens is that developers forgets to sanitize the input(username & password) given by the user in the code of their application, which can make them vulnerable to attacks like SQL injection. However, we are going to focus on a vulnerability that happens because of a developer's mistake but is very easy to exploit i.e re-registration of an existing user.
Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. That new user will also be able to see all the content presented under the user admin.
#tryhackme
broken authentication attack,
broken authentication bug bounty,
broken authentication demo,
owasp broken authentication example
Learn one of the OWASP vulnerabilities every day for 10 days in a row.
In this video, CyberWorldSec shows you how to solve tryhackme OWASP Top 10 CTF
Capture The Flags, or CTFs, are a kind of computer security competition. Teams of competitors (or just individuals) are pitted against each other in a test of computer security skill.
🆘🆘NEED HELP?? Join the Discord Server: Discord: discord
FOLLOW ME EVERYWHERE
---------------------------------------------------
Instagram : Instagram: bug_bunty
Telegram group : https://t.me/ethical_hacker_learn
Discord: Discord: discord
Twitter: Twitter: cyberworlds3c
-------------------------------------------------
Disclaimer :
These materials are for educational and research purposes only.
These videos teach you cyber secuirty and all the practicals are conducted on a safe to test labs provided by tryhackme .
TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers, encorporating guides and challenges to cater for different learning styles. To know more go to https://tryhackme.com/about
---------------------------------------------
SUBSCRIBE for more videos!
Thanks for watching!
Cheers!
----------------------------------------------
Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password mechanism. A user would enter these credentials, the server would verify them. If they are correct, the server would then provide the users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate which is stateless. Attaching session cookies means that the server will know who is sending what data. The server can then keep track of users' actions.
If an attacker is able to find flaws in an authentication mechanism, they would then successfully gain access to other users’ accounts. This would allow the attacker to access sensitive data (depending on the purpose of the application). Some common flaws in authentication mechanisms include:
Brute force attacks: If a web application uses usernames and passwords, an attacker is able to launch brute force attacks that allow them to guess the username and passwords using multiple authentication attempts.
Use of weak credentials: web applications should set strong password policies. If applications allow users to set passwords such as ‘password1’ or common passwords, then an attacker is able to easily guess them and access user accounts. They can do this without brute forcing and without multiple attempts.
Weak Session Cookies: Session cookies are how the server keeps track of users. If session cookies contain predictable values, an attacker can set their own session cookies and access users’ accounts.
There can be various mitigation for broken authentication mechanisms depending on the exact flaw:
https://tryhackme.com/room/owasptop10
To avoid password guessing attacks, ensure the application enforces a strong password policy.
To avoid brute force attacks, ensure that the application enforces an automatic lockout after a certain number of attempts. This would prevent an attacker from launching more brute force attacks.
Implement Multi Factor Authentication - If a user has multiple methods of authentication, for example, using username and passwords and receiving a code on their mobile device, then it would be difficult for an attacker to get access to both credentials to get access to their account.
For this example, we'll be looking at a logic flaw within the authentication mechanism.
A lot of times what happens is that developers forgets to sanitize the input(username & password) given by the user in the code of their application, which can make them vulnerable to attacks like SQL injection. However, we are going to focus on a vulnerability that happens because of a developer's mistake but is very easy to exploit i.e re-registration of an existing user.
Let's understand this with the help of an example, say there is an existing user with the name admin and now we want to get access to their account so what we can do is try to re-register that username but with slight modification. We are going to enter " admin"(notice the space in the starting). Now when you enter that in the username field and enter other required information like email id or password and submit that data. It will actually register a new user but that user will have the same right as normal admin. That new user will also be able to see all the content presented under the user admin.
#tryhackme
broken authentication attack,
broken authentication bug bounty,
broken authentication demo,
owasp broken authentication example
4 سال پیش
در تاریخ 1399/05/03 منتشر شده
است.
993
بـار بازدید شده