Hands-on OWASP Broken Authentication and Session Management tutorial - OWASP Top 10 training series
15.5 هزار بار بازدید -
5 سال پیش
-
Hello and welcome to this
Hello and welcome to this new episode of the OWASP Top 10 training series. Today, you are going to practice many Broken Authentication and Session Management attacks examples.
===========
Read from our Blog: https://thehackerish.com
Follow us on Twitter: Twitter: thehackerish
Facebook Page: Facebook: thehackerish
===========
Authentication bypass attack example using forced browsing
==================
In this example, the goal is to access the challenge board on OWASP Juice Shop, which is normally not meant to be public.
Single Page Web applications (SPA) typically use Ajax calls from a Front-end application. Therefore, all API endpoints should be included somewhere client-side, like JavaScript files.
Exploit Broken Authentication using Weak credentials
========================
Let’s try to login as the admin user on OWASP Juice Shop. From our previous SQL injection tutorial, we know that the admin’s email is [email protected]. So let’s bruteforce his password using the worst 100 password dictionary.
Because Burp Suite Community Edition allows only throttled bruteforce, we are going to use OWASP ZAP for this challenge. It is also a great opportunity to learn how to use OWASP ZAP in such a use case.
Broken Authentication and Session Management attacks example using a vulnerable password reset link
========================
In this challenge, the goal is to hijack Tom’s password reset link and takeover his account on OWASP WebGoat.
Exploit Broken Authentication using a security question
=========================
You might think that security questions are secret, but it’s not quite the case. In fact, with the amount of personal data people share on social media nowadays, security question answers can be found relatively easily. In this challenge, we are going to reset Bjoern’s password and access his account using a security answer he publicly shared.
What is authentication
=====================
In the context of Application Security, Authentication is the process of validating that the identity accessing an asset is the one it claims to be. For example, when you login to your email account, you provide a username and password. The system then validates these credentials. If they are correct, the system let’s you in. Otherwise, your authentication doesn’t succeed.
Notice that the identity can be another computer system as well. For example, when you connect to a HTTPS website, your browser authenticates the website using a Digital Certificate as part of what is called a TLS handshake.
What is session management
=======================
If you had to provide your credentials whenever you click on a page within your email account, that would be really impractical. Thus, upon authentication, the identity is issued a session which typically lasts as long as the identity is connected to the asset. Once the identity logs out, the session is destroyed.
Based on what we explained above on Authentication and Session Management, you can start thinking of scenarios where they can be broken. We will now explore what features support Authentication, and what vulnerabilities can lead to Broken Authentication and Session Management.
If the system doesn’t enforce a strong password policy, there is a high chance that users will use weak passwords. Besides, if the application doesn’t protect against rate limiting, a malicious user can bruteforce credentials in the hope of finding valid ones.
Sometimes, the software ships with default admin credentials, which are publicly available. If they are not changed upon installation, any user can login to the system as an administrator.
Authentication protects certain features from unauthorized access. Unfortunately, developers forget to put such features behind the Authentication layer. Therefore, any user can directly access them by performing what’s called forced browsing.
Password reset can be vulnerable in many ways, depending on how the password is restored. The most popular is a password reset link. In this case, you receive a random reset token which is generated and tied to your email. Unfortunately, it can be vulnerable in many ways.
Two-Factor Authentication, or 2FA for short, increases security by adding another verification step. For example, the application might send you a unique code via SMS. However, the verification response sent from the backend server can be tampered with client-side. If the application’s front-end relies on it to grant access, a malicious user can modify the response and bypass the verification.
===========
Read from our Blog: https://thehackerish.com
Follow us on Twitter: Twitter: thehackerish
Facebook Page: Facebook: thehackerish
===========
Authentication bypass attack example using forced browsing
==================
In this example, the goal is to access the challenge board on OWASP Juice Shop, which is normally not meant to be public.
Single Page Web applications (SPA) typically use Ajax calls from a Front-end application. Therefore, all API endpoints should be included somewhere client-side, like JavaScript files.
Exploit Broken Authentication using Weak credentials
========================
Let’s try to login as the admin user on OWASP Juice Shop. From our previous SQL injection tutorial, we know that the admin’s email is [email protected]. So let’s bruteforce his password using the worst 100 password dictionary.
Because Burp Suite Community Edition allows only throttled bruteforce, we are going to use OWASP ZAP for this challenge. It is also a great opportunity to learn how to use OWASP ZAP in such a use case.
Broken Authentication and Session Management attacks example using a vulnerable password reset link
========================
In this challenge, the goal is to hijack Tom’s password reset link and takeover his account on OWASP WebGoat.
Exploit Broken Authentication using a security question
=========================
You might think that security questions are secret, but it’s not quite the case. In fact, with the amount of personal data people share on social media nowadays, security question answers can be found relatively easily. In this challenge, we are going to reset Bjoern’s password and access his account using a security answer he publicly shared.
What is authentication
=====================
In the context of Application Security, Authentication is the process of validating that the identity accessing an asset is the one it claims to be. For example, when you login to your email account, you provide a username and password. The system then validates these credentials. If they are correct, the system let’s you in. Otherwise, your authentication doesn’t succeed.
Notice that the identity can be another computer system as well. For example, when you connect to a HTTPS website, your browser authenticates the website using a Digital Certificate as part of what is called a TLS handshake.
What is session management
=======================
If you had to provide your credentials whenever you click on a page within your email account, that would be really impractical. Thus, upon authentication, the identity is issued a session which typically lasts as long as the identity is connected to the asset. Once the identity logs out, the session is destroyed.
Based on what we explained above on Authentication and Session Management, you can start thinking of scenarios where they can be broken. We will now explore what features support Authentication, and what vulnerabilities can lead to Broken Authentication and Session Management.
If the system doesn’t enforce a strong password policy, there is a high chance that users will use weak passwords. Besides, if the application doesn’t protect against rate limiting, a malicious user can bruteforce credentials in the hope of finding valid ones.
Sometimes, the software ships with default admin credentials, which are publicly available. If they are not changed upon installation, any user can login to the system as an administrator.
Authentication protects certain features from unauthorized access. Unfortunately, developers forget to put such features behind the Authentication layer. Therefore, any user can directly access them by performing what’s called forced browsing.
Password reset can be vulnerable in many ways, depending on how the password is restored. The most popular is a password reset link. In this case, you receive a random reset token which is generated and tied to your email. Unfortunately, it can be vulnerable in many ways.
Two-Factor Authentication, or 2FA for short, increases security by adding another verification step. For example, the application might send you a unique code via SMS. However, the verification response sent from the backend server can be tampered with client-side. If the application’s front-end relies on it to grant access, a malicious user can modify the response and bypass the verification.
5 سال پیش
در تاریخ 1398/11/07 منتشر شده
است.
15,541
بـار بازدید شده