🏠 Home BlogGitHubπŸ“š Buy Me a Book
Edit

Web App - Authentication Attacks

Attacking Authentication - Brute force

  • Pay attention to authentication restrictions

BurpSuite

  • Login here http://localhost/labs/a0x01.php and use BurpSuite intruder to brute-force the login

    • Load /usr/share/seclists/SecLists-master/Passwords/xato-net-10-million-passwords-1000.txt wordlist into Payload

    • Remember that BurpSuite Community Edition attacks are time throttled

    • Once it hits the correct password, the response of the page will be different, so the length will be different. Sort by length

    • πŸ“Œ Found creds: jeremy:letmein

ffuf

  • Way faster than BurpSuite Community

  • Run ffuf with that request and use it as a baseline for the attack

Attacking Authentication - MFA

  • Test the login flow with jessamy:pasta and MFA code

  • Intercept the "Enter MFA" request with BurpSuite and change username2 to jeremy

    • website is logged in with jeremy

Attacking Authentication - Challenge

  • Find a valid account and login as that account

  • ❗ Accounts will lock after 5 failed login attempts - Reset labs at http://localhost/init.php

  • Lets try to test a long list of usernames, and checking the top 4 passwords for those usernames, so there will be no lockout

  • admin:admin - Password incorrect, added a lockout attempt

    • user admin exists

  • Adjust the payload depending on the situation or the targets

  • Copy request

  • Note the Content-Length: 3376

  • Filter responses when an account does not exist based on the results, or just search for a different Size in the ffuf result list

  • πŸ“Œ Found creds: admin:letmein

PreviousWeb App - Insecure File UploadNextWeb App - XXE

Last updated

Was this helpful?